Enterprises can control user access to enterprise applications, such as web applications, by authenticating users via user credentials, such as a username and password. Enterprises may wish to provide a more secure environment by implementing strong authentication, also known as second-factor authentication, which uses a second-factor credential in addition to user credentials (e.g., username, password). A typical second-factor authentication scheme involves the provisioning of a device (the “something you have” piece of the secure authentication scheme) with a shared secret. The shared secret may be a long string, a portion of which may be hashed to create an authentication token. The authentication token may be supplied at authentication time to prove to a server that the client has the same shared secret. Traditionally, the shared secret string has been provisioned to a device during a one-time setup. The shared secret is generally created by a server and then securely delivered to the device. The static shared secret, once provisioned, usually does not change, and may be prone to discovery, for example, by an attacker.