User contexts are a bit weird. I've thought about this a bit more...
Often, a user context is used when you store data about another [different] user. (For example, a parent has a role within their kid's user context. Or if a teacher/administrator leaves notes about a student.)
If the data is about yourself, and really applies to the whole system, I would say it is normally in system context. In this case, if the data is about how you log in, I think that is more related to the whole system than it is about you. In other words, the data is about how You log into System. It's not about how You log into You. (Subject vs object.)
To put it another way, I think as a guideline it is usually appropriate to use user context only if you could potentially have data in multiple user contexts. This is true of the two examples I gave above (a parent with two kids could have roles within Kid A's context and Kid B's context; a member of staff could leave notes on Kid A and Kid B, and maybe also on their own user context too) but it's not true if you are just storing data for one user about their system access. That data would never go in a different user context so I think it's really system data.
So I'd be tempted to use system context here (and not user context), consistently for both functions.
It would be good to get an answer from a privacy API expert though because it's definitely possible that the privacy API implementations made a different distinction than mine...
--sam