The eKaay main page now presents eKaay in its eKaay Card version. eKaay Card is more secure and - in the end - more convenient because the card can be used with any of the user's mobile devices. (Original eKaay main page)
eKaay Card - Login with a Card at any Computer
Smartphone trojans may steal the keys stored on the smartphone within the storage of the eKaay app. For example, a trojan sitting deeply within the Operating System of the smartphone will be able to circumvent the sandbox
A solution for this problem is ekaay Card: The keys are moved out to a card or a token, and are contacted by the smartphone via NFC or Bluetooth:
Login with a Nexus S Android Smartphone and an NXP JavaCard at the Webmail of the Universität Tübingen (no fake).
Because not only the keys but the whole cryptology (''challenge/response'') is moved out to the card, the keys never leave the card and therefore cannot be stolen by smartphone or PC malware. eKaay becomes a high-security method.
The method can be implemented in case there are already NFC-enabled cards among the portal users, for example company cards, campus cards or customers cards.
Alternatively, the NFC-enabled tokens and cards of the FIDO Alliance (Google) could be used to store the ekaay keys, for example the Yubico tokens.
This is decided by the eKaay user, i.e., independently of the portal.
Patent eKaay NFC: B.Borchert (2009): DE102009040009B4.
Conference talk (ICITST 2013, London) about eKaay NFC: B.Borchert, M.Günther: ''Indirect NFC-Login'' (slides, paper).
The same idea ''Move out the key to an NFC-enabled card in order to protect it from smartphone trojans'', applied to Online Banking: NFC-TAN and Display-TAN.