With mobile applications, an entity residing outside of a mobile device, such as a web service, may require the authentication of the user who possesses the device. The communication between an authentication consumer and a mobile device user must be trusted by both parties. It should be impossible, with such authentication, to modify the transferred data without such modification being detected by both parties. The mobile device user should easily know that an authentication request came from a bona-fide partner and not a rogue application. The authentication consumer must be assured that the authentication came from a specific device and was vetted by the user.