A solution for this problem is ekaay NFC: The keys are moved out to a card or a token, and are contacted by the smartphone via NFC:
Because not only the keys but the whole cryptology (''challenge/response'') is moved out to the card, the keys never leave the card and therefore cannot be stolen by smartphone or PC malware. eKaay becomes a high-security method.
The method can be implemented in case there are already NFC-enabled cards among the portal users, for example company cards, campus cards or customers cards.
Alternatively, the NFC-enabled tokens and cards of the FIDO Alliance (Google) could be used to store the ekaay keys, for example the Yubico tokens. This is decided by the eKaay user, i.e., independently of the portal.
Patent eKaay NFC: B.Borchert (2009): DE102009040009B4.