Various security features may be employed to protect a user account with sensitive information from unauthorized access. For example, when a computing device (e.g., laptop computer) attempts to remotely log into an account, an authentication server may require a valid one-time password (OTP) from the computing device before granting access to the account. Unlike a static password, an OTP is not vulnerable to replay attacks. The OTP may be generated by a separate OTP device located near the computing device and communicated from the OTP device to the computing device. The OTP device may be a standalone device (e.g., hardware token) or an application running on a mobile device (e.g., smart phone).