providing at least one parameter that is associated with an authentication process;

encrypting said at least one parameter to form at least one audit identifier;

combining a plurality of parameters associated with said authentication process to form said at least one parameter;

recording an audit entry in an audit log, the audit entry comprising the at least one audit identifier, an associated audit event and an associated unique device identifier, wherein the audit entry is associated with a principal seeking authentication, wherein the associated unique device identifier includes a device network address associated with the principal seeking authentication; and

sending the audit entry to an auditing service over a network, said auditing service being configured to gather and analyze a plurality of audit entries from a plurality of platforms;

wherein said sending enables said auditing service to analyze the recorded audit entry,

wherein the plurality of parameters associated with said authentication process comprise:

(i) user identifying information;

(ii) realm identifying information; and

(iii) a timestamp; and

wherein the auditing service tracks principal movement and login ID used at each platform of a plurality of platforms by analyzing audit entries associated with said at least one audit identifier and with the principal seeking authentication, the analyzing the associated audit entries comprising:

identifying within the associated audit entries, at least one audit entry that contains an audit event that is a switch event, the switch event indicating that the principle seeking authentication has switched from a first login ID to a second login ID; and

deducing that the principle is masquerading as a user associated with the second login ID based on correlation of the switch event with audit identifiers, audit events and unique device identifiers contained in the associated audit entries.