The goal is to make sure even a local keylogger cannot get the login and password.
The best would be to have an option in the sign in page to have this on the login page.
As I hate reinventing the wheel, I'd be glad if someone who already uses this could share his template.
Have you looked at the Kiosk example under Custom Sign-In Pages on the SA? I think it may do what you need, or you could make it work with a little modification.