Yes, supporting multiple verification methods would make sense to me.
For the simplest devices that cannot do anything except respond to NTP client requests, there could be a protocol consisting of responding and not responding to requests made by the monitoring system. The device could be turned off (or blocked in the firewall) for one minute, then one minute turned on and this could repeat few times to make it unlikely a busy public server would pass by chance.