You've probably typed a username or password hundreds of times though, or at least a fair portion of their userbase has. "This user normally types their password in 3 seconds but today they did it in 0.2 seconds" is a reasonable way to raise a red (or at least yellow) flag.