The answer, in my view, is that an agency test best distinguishes authorized use of a shared account from unauthorized use of a shared account. When the valid account holder gives login credentials to a third party, access by the third party is authorized when the third party acts as the agent of the account holder. On the other hand, access by a third party should be deemed unauthorized when the third party acts outside the scope of the agency. When passwords are shared, agents are authorized but nonagents are not.
An agency test accurately reflects the underlying delegation of authority. If the account holder shares a user name and password with an agent, and the agent accesses the account on the account holder’s behalf, the agent is acting in the place of the account holder. The agent should have the same authorization rights as the account holder. On the other hand, a third party who uses a password in pursuit of his own ends stands in the same place as a third party who has guessed or stolen the password.