The prompt would have to be after you authenticated your phone in some other way, like via the passcode.

I think it's totally OK not to accept authentication from an unvalidated device, but a legitimate user should be able to do the validation.