Ticket-based authentication systems are used across the internet. They allow an entity or device to be issued a
ticket which can be used to repeatedly authenticate to a service. We propose a quantum ticket algorithm (based
on Gavinsky’s coin scheme) which offers protection against phishing, replay and man-in-the-middle attacks, and authentication with the service does not require either quantum or encrypted communication channels. It also provides in-built ticket expiration and graded step-up authentication depending on levels of trust and risk.