Nice concept, and it actually doesn't need a security hole to implement, by making the "client identification" touring complete. The server could send a script which has read-only access to the clients memory space. Let the script compute some hash of the client memory and send it back and you can identify if the client was 'real'. Randomize some aspects of the script so it can't be precomputed. Also can execute any amount of detection logic to find 'hostile' code loaded into the clients process.
Anyone wanting to fake such a login process would need to provide a scripting environment mirroring most of the memory state of the original client. Minor changes in the real client or detection scripts can cause huge work for the fake client creators.