Cryptographic smartcards provide a standardized, interoperable way for multi-factor authentication. They bridge the gap between strong asymmetric authentication and short, user-friendly passwords (PINs) and protect long-term authentication secrets against malware and phishing attacks. However, to prevent malware from capturing entered PINs such cryptographic tokens must provide secure means for user input and output. This often makes their usage inconvenient, as dedicated input key pads and displays are expensive and do not integrate with mobile applications or public Internet terminals. The lack of user acceptance is perhaps best documented by the large variety of non-standard multi-factor authentication methods used in online banking. In this paper, we explore a novel compromise between tokens with dedicated card reader and USB or software-based solutions. We design and implement a cryptographic token using modern secure execution technology, resulting in a flexible, cost-efficient solution that is suitable for mobile use yet secure against common malware and phishing attacks.