A method includes (a) receiving, by the authentication server device, an authentication request from a requesting device in the name of a particular user, the requesting device being a mobile computer seeking access to the protected resource in the name of the particular user, (b) in response to receiving the authentication request, verifying that the requesting device is an enrolled device, the enrolled device being a mobile computer previously assigned to the particular user, (c) in response to verifying that the requesting device is equivalent to the enrolled device, remotely locking, by the authentication server device, the enrolled device, (d) receiving confirmation, by the authentication server device, that the enrolled device has been unlocked within a timeout period, and (e) in response to the authentication server device receiving confirmation that the enrolled device has been unlocked within the timeout period, providing the requesting device with access to the protected resource.