Ask the Expert

Is a touchscreen virtual keyboard good for keeping passwords secure?

I recently saw that a government loan site had implemented a virtual keyboard on its login page. To reduce the risk of falling prey to keyloggers, users were given the option of clicking the letters and numbers on the virtual keyboard to input their username and password details. What are the pros and cons of virtual keyboards?

    Requires Free Membership to View

I'll start with the cons. The first thing that comes to mind is how the touchscreen virtual keyboard will interact with the capabilities of the user's platform. Will the keyboard display work properly on an iPhone, a netbook, a PS3, a PSP, a Droid, etc.? There are a lot of consumer devices on the market that are Web-enabled. A Web-object, like a virtual keyboard, will most likely cause problems on some of them.

There's also the issue of over-the-shoulder viewing. I doubt my cubical-mate could follow my typing on a keyboard lying horizontal on my desk, but he or she could easily see which keys I press on my screen as I enter my password (unless of course an overlay has been placed on my monitor to deter this).

Finally, since virtual keyboards aren't standard in any Web applications I've seen, there's the cost of development and support for the creation of the keyboard and its integration into the Web applications.

On the plus side, and a big plus at that, keyloggers wouldn't be able to capture this information, since you would be using either a mouse or a touch screen to enter the information, thus keeping passwords secure.

However, as a security professional, before I decided to use a virtual keyboard on my site, I'd have to weigh the risks. Who are the constituents who will be accessing the site and how technologically savvy are they? What platforms will they be using? What is the risk that the systems accessing the site will have keylogger or other capture software on them? What is the value of, or what are the privacy concerns regarding the content the site provides? Does this affect the end user's ease of accessing the site? After analyzing the results, I'd then decide whether the functionality justifies the risks of adding a virtual keyboard to my site.

This was first published in April 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: