Online services often involve the communication of sensitive material between the user agent associated with a client computer and the online service provider. Users typically prefer, and sometimes demand, hostile parties not have access to the communicated information. Identification and authentication mechanisms are used to ensure authenticated access, providing security for the sensitive information. But where an authentication ticket is misappropriated, or stolen, by a hostile party, the hostile party may obtain access by presenting the authentication ticket to the online service provider. Unfortunately, there is no way to ensure the party presenting an authentication ticket is, in fact, an authenticated party instead of a hostile party.