One possibility is that ThreatMetrix creates a [fingerprint](https://arxiv.org/pdf/1905.01051.pdf), and locally running applications are a part of the fingerprint. Consequently, the authentication algorithm stores attributes about your device(s) and compare them during each log in with the previous values. Seeing that you are logging in using a previously seen device, the algorithm can let you in with just a password without additional proves. However, should you use a new device, the algorithm might decide that additional authentication steps are required and send you an SMS.