Secure authentication token management

An authentication token management system securely manages an authentication token. Hardware based security extensions on a client are used to dynamically instantiate two dynamic secure virtual machines, a registration initiation module (RIM) and a registration completion module (RCM). A public key and a corresponding private key are generated, and the RIM seals the private key to the RCM. A request for an authentication token is signed by the hardware based security extensions and transmitted to the server. This request comprises at least the public key. In response, an authentication token encrypted with the public key is received. The RCM unseals the private key, and uses it to decrypt the received authentication token. The RCM then seals the authentication token to at least one additional dynamic secure virtual machine, which can use it to perform additional functionalities, such as data signing, encryption, generation and/or verification.