This isn’t novel, but it’s gaining traction:

The method is referred to as device code phishing. It takes advantage of “device code flow,” a type of verification established in the industry-wide OAuth standard. Device code flow authentication is intended for logging printers, smart TVs, and comparable gadgets into accounts. These devices usually lack browser support, complicating the sign-in process using more conventional verification methods, like entering usernames, passwords, and two-factor authentication.

Instead of verifying the user directly, the input-restricted device shows an alphabetic or alphanumeric device code along with a link tied to the user account. The user navigates to the link on a computer or an alternative device that facilitates sign-in and inputs the code. The remote server subsequently sends a token to the input-restricted device, enabling it to access the account.

Device authorization depends on two pathways: one originating from an app or code operating on the input-restricted device requesting permission to log in and the other from the browser of the device that the user usually employs for signing in.