Interactions between users and institutions sometimes require a high degree of security. An example interaction is a banking transaction. Often, an institution provides tokens to its clients to allow the clients to securely log in to a remote service provided by the institution. The token is a physical device which allows the institution to verify the identity of the client. Each token is typically configured to provide one-time passcodes (OTPs) generated using a secret seed, the seeds only being stored on that token and on an authentication server for the remote service. The client is then able to present the OTP generated by the token to an agent of the authentication server as proof of identity.