"And a router tells devices apart is by their MAC addresses"

There is no other identifiable information a router can get out of a device without authentication

That sounded wrong to me (I like a challenge), and of course some clever guys have already been and got at least 94% success at remote device fingerprinting.

See p.1702 and use of carrier frequency offset (CFO) for fingerprinting, this paper discusses other methods and auth of AP/devices too; https://www.cs.ucr.edu/~zhiyunq/pub/infocom18_wireless_finge... .

In most implementations, MAC addresses are the only indication of the device