This is extremely insecure, because without authentication it is impossible to make sure that this is exactly the device that is declared.
Look towards SSO and domain authentication (via Active Directory)

Under no circumstances should this be done.
Forget about it

Store the authorization session token in the browser cookies, then you will need a one-time authorization.
What kind of authorization to choose correctly?
Google offers authorization through your account, i.e. if the browser has authorization (and it will be in default if a Google account is added to the smartphone, and it is added in more than the vast majority of cases, since by default many smartphones will not even allow themselves to be used without it), in this case, to gain access the user will be given a corresponding request in the browser
https://developers.google.com/identity/protocols/o...
For the user in this case, usually this process is a couple of taps on the screen, without entering a login and password
ps support for authorization through other accounts (for example, Facebook or Yandex) look at them, respectively
, pps is more universal, but more expensive and will require the client's phone number - this is two-factor authorization via sms (it will require an agreement with the provider for sms delivery and some kind of library for two-factor)
ppps the most beautiful thing (no one's personal data will go anywhere) is to suggest the user to use Time based One Time Password, one of the popular standards (from google authenticator rfc6238), google for example shows thisimplementation. The user will need to install the appropriate application on the smartphone (there are plenty of them besides Google itself, there are built-in password managers, for example, keepass2droid), but you won’t have to register anywhere and give your number, and the server owner won’t need to pay for anything either.
Contrary to popular belief, this authorization is quite more than sufficient (if there are brute force protections on the server, of course), the user just needs to say his login and the current TOTP value, no passwords or email are needed anymore (more often, email is needed for other tasks when the service needs how to contact the client
p......s. there is still authorization through GPG (bad with mobile and for desktop browsers, extensions are not very popular), even less rare - authorization through private keys of cryptocurrency wallets... but it’s stupid for you to offer such exotic