Virtual keyboard and false sense of security

Matchistador_ · ‎08-16-2010

Hello,

I saw recently a customer who added the virtual keyboard in the loggin page to prevent keylogging attacks. I've never been realy confident in such mechanisms (that are really annoying) to add some extra security level, and in this case, writing a Greasemonkey script to disable it is trivial:

http://userscripts.org/scripts/show/83604

Does anybody knows if the virtual keyboard has evolved from version 6.3 ?

icebun007_ · ‎08-17-2010

I have upgraded from 6.x to 7.x and I don't think the VKB has changed at all. well not cosmetically.

The VKB option is only available to Admins but I plan to roll this out to the masses.

Right now I use a solution from Safeword which works great for secondary authentication via a OTP.

However, I have 60+ key fobs in circulation and only a handful of people really use the IVE.

By implementing the VKB and in conjunction with a tight password policy I am going to dump Safeword in the next few months.

zanyterp_ · ‎08-19-2010

The one that is defined by the custom sign-in page is the same now as it was before, yes.

ruc_ · ‎08-25-2010

The built-in virtual keyboard is just a sample to demonstrate what can be achieved using the Custom Sign in Page framework.

Matchistador_ · ‎09-15-2010

Well, thank you for your response, but I am not really agree with you: it is marketed as a feature, and anyways, if such a function can only be done at the client-level (without interaction with the IVE), it will never be secure.

Virtual keyboard and false sense of security

Virtual keyboard and false sense of security

Re: Virtual keyboard and false sense of security

Re: Virtual keyboard and false sense of security

Re: Virtual keyboard and false sense of security

Re: Virtual keyboard and false sense of security