The present invention defines a strong authentication token for generating different dynamic credentials for different application providers comprising an input interface providing an output representing an application provider indicator; a secret key storage for storing one or more secret keys; a variability source for providing a dynamic variable value; a key providing agent for providing an application provider specific key as a function of said application provider indicator using one or more keys stored in said secret key storage; a cryptographic agent for cryptographically combining said application provider specific key with said dynamic variable value using symmetric cryptography; a transformation agent coupled to said cryptographic agent for transforming an output of said cryptographic agent to produce a dynamic credential; and an output interface to output said dynamic credential.
The present invention defines furthermore a method to manage the secret keys of strong authentication tokens that can generate dynamic credentials for more than one supported application provider or application provider group using different secret keys for each supported application provider or application provider group comprising generating for each of a batch of strong authentication tokens a token specific master key; personalising each token of said batch with the token specific master key associated with said token; generating for each of a plurality of supported application providers or application provider groups a set of application provider specific token keys, one application provider specific token key for each token of said batch, whereby each application provider specific token key of each of said sets is derived from that token's token specific master key and a unique identifier or indicator of that application provider or application provider group; providing to each application provider or an entity that is responsible for the verification on behalf of said application provider of the dynamic credentials that are generated for said application provider, the corresponding set of application provider specific token keys.