Some online resources, such as email accounts (e.g., federal/military) and organization portals (e.g., federal/military), rely on hardware credential tokens to restrict/grant access thereto. The hardware credential tokens can take the form of a smartcard or other physical device and also act as an identity credential for an individual. In order to use the hardware credential token to access the resource, a user must possess the hardware credential token and have access to a device that can read the hardware credential token. Because a hardware credential token requires physical possession, typically along with a known secret (e.g., a PIN), a hardware credential token can provide strong authentication of an individual. As more and more users get accustomed to immediate and constant access to the internet through their mobile devices, however, relying on a hardware credential token for access to an online resource may inconvenience users, as most mobile devices cannot read a hardware credential token without an external accessory device coupled to the mobile device.