Makes sense. No action until the user clicks something on the page. One extra step but better than having “helpful bots” wreak havoc.

> to store a secret in the browser […] is doing a browser fingerprint match

I get the idea but I really dislike this. Assuming the user will use the same device or browser is an anti-pattern that causes problems with people especially while crossing the mobile-desktop boundary. Generally any web functionality shouldn’t be browser dependent. Especially hidden state like that..