Virtual Keyboard - Security Considerations

Security Considerations

Virtual keyboards may be used in some cases to reduce the risk of keystroke logging. For example, Westpac’s online banking service uses a virtual keyboard for the password entry, as does TreasuryDirect (see picture). It is more difficult for malware to monitor the display and mouse to obtain the data entered via the virtual keyboard, than it is to monitor real keystrokes. However it is possible, for example by recording screenshots at regular intervals or upon each mouse click.

| last = Smith | first = David A. | title = Outsmarting Keyloggers | publisher = PC Magazine | date = 2006-06-21 | url = http://www.pcmag.com/article2/0,2817,1978513,00.asp | accessdate = 2009-11-16}}

The use of an on-screen keyboard on which the user "types" with mouse clicks can increase the risk of password disclosure by shoulder surfing, because:

• An observer can typically watch the screen more easily (and less suspiciously) than the keyboard, and see which characters the mouse moves to.
• Some implementations of the on-screen keyboard may give visual feedback of the "key" clicked, e.g. by changing its colour briefly. This makes it much easier for an observer to read the data from the screen. In the worst case, the implementation may leave the focus on the most recently clicked "key" until the next virtual key is clicked, thus allowing the observer time to read each character even after the mouse starts moving to the next character.
• A user may not be able to "point and click" as fast as they could type on a keyboard, thus making it easier for the observer.