I forget what the term for it is, but there's a principle that any dialog that's asking the user for credentials or authorization must be clearly delineated from the rest of the UI and thus "unspoofable".
The example I recall was a "ribbon" in the OS that slide out to reveal the dialog. If a dialog presented itself but the ribbon remained along the edge you could immediately tell it was spoofed. Of course this requires the OS not allow untrusted code to reposition/hide the ribbon or present a full screen display without prompting the user.
Another example is iOS grays out the background (including status bar at the top) when presenting a modal password prompt. However this could easily be spoofed by a full screen native app. The only way to solve that is to require authorization to enter full screen mode.
Browsers are improving. At least Chrome shows the URL at the top of all popup windows. Entering full screen mode requires user authorization.
That of course doesn't solve the OP's problem of spoofing a floating window purely inside a webpage, but that really needs to be solved at the OS level.
This assumes that users are computer-savvy enough to (a) expect an unspoofable dialog at all, and (b) know which parts are unspoofable and how they should look.
We tried this with "AOL Certified Mail", which had an unspoofable official chrome, and I don't remember any serious drop in phishing.
This is the reason why I hated the move of the notification bar in Internet Explorer 9 from the top to the bottom of the window. And the UI is too simple to be spoofed.
But then of course, to relieve users from the burden of making security decisions one needs the whole chain of authentication of executables, access control and a trust system to dispense privileges.
Except you don't confirm anything. A fake UAC doesn't have any magic powers, nor can it pass your click on to the real UAC.
The problem UAC solves is that you click on a harmless dialog, but suddenly an important dialog is swapped in under your mouse. A fake UAC can't do that.
The example I recall was a "ribbon" in the OS that slide out to reveal the dialog. If a dialog presented itself but the ribbon remained along the edge you could immediately tell it was spoofed. Of course this requires the OS not allow untrusted code to reposition/hide the ribbon or present a full screen display without prompting the user.
Another example is iOS grays out the background (including status bar at the top) when presenting a modal password prompt. However this could easily be spoofed by a full screen native app. The only way to solve that is to require authorization to enter full screen mode.
Browsers are improving. At least Chrome shows the URL at the top of all popup windows. Entering full screen mode requires user authorization.
That of course doesn't solve the OP's problem of spoofing a floating window purely inside a webpage, but that really needs to be solved at the OS level.