Authentication agents 302 and 304 can also enable the user to provide additional information about themselves or their devices. For example, the user can disclose familiar devices by performing: a network probe; a Bluetooth scan; an account sync; and a device-to-device sync. The user can also answer questions about themselves, and can explicitly register devices, biometrics, or any other information that will be used to respond to active or passive challenges.

The authentication agent can also use hints to discover when a device is being used by a different user, such as looking at when the user logs in to a different account, and looking for anomalous access patterns. Note that the system can possibly allow a user to authorize the use of their device(s) by one or more alternative users, which involves: ceasing collection of data for the main user; and synchronizing the alternative user's sampled data across all of the main user's accounts.

While performing authentication operations, authentication agents 302 and 304 communicate with local authentication database instances 306 and 308, respectively, which store credentials, usernames, passwords, secrets, cookies, tokens, and other secure items required for authentication. In the embodiment of the system illustrated in FIG. 3, there exists one instance of a local authentication database for each instance of an authentication agent. Moreover, the data in local authentication databases 306 and 308 can be synchronized by a synchronization module 316, so that local copies of the data are consistent with a master copy of the data stored in a global authentication database 318. For example, this synchronization process enables an encrypted password state to be synchronized across multiple devices.