A system includes a memory and processor. The memory stores a user account identifier associated with a user account. The processor receives at least one user credential and authenticates the user account based at least in part on the at least one user credential. The processor further receives a first request, from a device associated with the user account, to generate a one-time password and generates the one-time password in response to receiving the first request. The processor associates the one-time password to the user account and communicates the one-time password to the device associated with the user account. The processor further receives a second request, from a transaction device, the second request comprising an attempted one-time password, determines whether the attempted one-time password is valid, and communicates, to the transaction device, an indication that the attempted one-time password is valid in response to determining that the attempted one-time password is valid.