Professional authentication managers such as RSA Adaptive Authentication can gather 40 or 50 data points from which to tell if a user is somewhat the same or not. They apply a ratio to the value generated by which a user can be redirected to a challenge question. It's not foolproof but it prevents a lot of automated phishing or botnet scams from being able to automatically log in with your credentials.