Enterprises can control user access to enterprise applications, such as web applications, by authenticating users via user credentials, such as a username and password. Enterprises may wish to provide a more secure environment by implementing two-factor authentication, which uses two or more authentication factors. The authentication factors include “something the user knows” (e.g., username, password, PIN, pattern), “something the user has” (e.g., a device, a computer, a mobile phone, a physical card, a smartcard, an authentication token), and “something the user is” (e.g., a biometric characteristic such as a fingerprint or a unique retina). When a user accesses a website that uses two-factor authentication, the website might request a username and password (“something the user knows”). The website can also detect or receive identification data from a device that correlates the user with the device (“something the user has”). The website can identify the device using a device tag. Conventional approaches are vulnerable to attackers that intercept the device tag and copy it to another device. Such approaches leave users susceptible to identity theft and online fraud. Other conventional approaches can lose track of a known or authenticated device when device tags are lost, removed or deleted.