In computing systems it is known to perform user authentication operations by which users are authenticated as a condition to obtaining access to system services. User authentication attempts to confirm user identity. A simple example is password-based authentication, which is based on a user's possession of a supposedly secret, user-specific password. More complex and powerful examples include so-called multi-factor authentication, which require that a user satisfy conditions along multiple dimensions. For example, a system may require a user to supply a conventional static password and also be able to supply a one-time password that is sent to a user device such as a smart phone. The second dimension or factor in this case is the user's possession of a user-specific smart phone that has been registered in advance. In large computing systems, a so-called “federation” or “single sign-on” approach may be used in which authentication is centralized in one or more specialized servers and a secure protocol enables the authentication servers to supply credentials to system services on behalf of authenticated users.