There's probably more here, but one thing I can think of is fingerprinting the client as part of the automated risk assessment, deciding whether and when to block attempts, trigger MFA, and recognize specific devices (and potentially tie them to specific users for whatever reason).