Other failure modes:
- Reinstalling the software,
- Factory resetting your phone
- Erasing your browser’s cookies or setting your browser not to save them.
- Clicking “deauthorize sessions” (maybe).
The problem with whitelists (or blacklists) is that you need a way to update them. As such, you really can not protect the whitelist itself with a whitelist without creating risk of lockout.
In a sense, new device login protection is a an alternative way of accomplishing this. If it does not recognize the device, it enforces a secondary authentication for those users that do not already have MFA enabled.
You might also cosider voting for “Option to force multiple login verification steps (force “multiple” 2FA / MFA)”, as it is less likely to result in lockout.