Client platform infection poses a significant threat to secure user authentication. Com- bining vulnerable client platforms with special security devices, as often the case in e- banking, can increase significantly the security. This paper describes a new architecture where a security proxy on the client platform communicates with both a trusted security device and the server application. The proxy switches between two TLS channels, one from the client and another from the trusted device. The result is a highly usable and flexible authentication solution with strong security assurance.