A method and apparatus for conducting a commercial transaction over the Internet or other network connection are provided. The method includes the use of random numbers which are unique for each user session. These random numbers are pre-loaded onto a handheld, portable device, token, at the time of the device's manufacture or programming. These numbers are generated by external systems. The external systems then deliver the number sets to the token for storage in the token's internal memory and also to another random number database that is accessible by an authentication system. The random numbers are dispensed by the token to a user by pressing a button on the token or otherwise signaling the token. A simple polynomial equation may be employed in order to increase the number of codes. A dispensed number is cross referenced, by the authentication system, to the random number database that was created when the token was programmed. In this way the user or transaction can be authenticated. In its preferred configuration, it is intended that once the total number of random combinations, including the original random numbers and numbers generated by polynomial transformations, have been exhausted, the device becomes inoperable.