The present invention relates to the field of strong authentication tokens and more specifically to methods and apparatus employing cryptographic key establishment protocols for such strong authentication tokens.An apparatus comprising storage for a secret key, said secret key for use in the generation of cryptographic values, and a cryptographic agent for generating said cryptographic values using said secret key, selects one of a predetermined set of key transformations in an unpredictable way and applies said selected key transformation to said secret key prior to generating one of said cryptographic values.A server receives and authenticates a credential generated using a transformed secret and derives the transformed secret, by generating a plurality of verification values using a set of known permitted transformations of a stored secret, determining whether said credential matches one of said plurality of verification values, and, if said credential matches one of said plurality of verification values, storing the corresponding one of said set of known permitted transformations as an updated value for said stored secret.