An account that the principal uses regularly tends to learn to trust the device they use it from. The provider notes the device, the location, the patterns of use. After some weeks the device is treated as familiar; the principal is no longer challenged at every login; the small frictions of routine verification have been removed.

The convenience this produces is real and reasonable. A principal who logs in twenty times a week to the same account from the same device would not welcome being challenged each time. The trust accumulated by the device is, in this sense, an honest reflection of the use.

The trust, however, sits on the device rather than on the principal. The device that the account trusts is the physical object, plus the tokens it has been issued. If the device passes out of the principal's hands while the tokens remain valid, the account continues to trust the device as if the principal still held it.

The conditions in which this matters are familiar. A device that is lost; a device that is sold or given away without proper resetting; a device that is taken in for repair and not returned with full attention; a device that has been replaced but kept aside without being signed out. Each of these scenarios produces a window in which the account believes the principal is in front of it and the principal is not.

The work here is, as ever, administrative. It is about the regular auditing of which devices each significant account currently trusts; the deliberate signing out of devices that are no longer in use; the careful resetting of devices that pass out of the household; and the configuration, where the provider allows it, of alerts for new devices being added. The aim is that the trust the account has accumulated reflects the principal's current possession of the device rather than its historical one.