When a user wishes to access a protected resource, he is typically required to authenticate his identity and acquire permission to access that resource. In some systems, this is accomplished by the user proving that he is in possession of an authorizing device such as a token or a cell phone. In order to use a token, the user may enter a temporary token code displayed on the screen of the token to prove that he is in possession of the token or the user may physically attach the token to his computer. To use a cell phone for authentication, when the user attempts to access a protected resource, an authentication server may send an out-of-band message to the user's cell phone and the user may then enter information from that message into his computer proving possession of the cell phone.