Methods and apparatus are provided for authenticating a user using multi-server one-time passcode verification. A user is authenticated by receiving authentication information from the user; and authenticating the user based on the received authentication information using at least two authentication servers, wherein the received authentication information is based on a secret shared between a security token associated with the user and an authentication authority that provides the at least two authentication servers. For example, the authentication information can comprise a passcode comprised of a tokencode from the security token and a password from the user. The user can be authenticated only if, for example, all of the at least two authentication servers authenticate the received authentication information.