In this paper two mobile website authentication schemes are proposed. The first enables authentication credentials (username and password) to be stored and retrieved securely from a mobile handset, and requires no changes to existing websites. The second scheme, which may optionally be used with the first, utilises a one-time password and is intended for applications requiring an enhanced level of authentication, e.g. financial services. Both authentication schemes use a Java SIM and ubiquitous mobile phone; with its familiar and convenient form factor and high user acceptance. Both schemes also provide protection against online phishing attacks.