Security Virtual Keyboards: Why you should avoid using them

Virtual keyboards are popup keyboards that allow you to enter text into a form. These keyboards appear on the screen and allow you to type in text. On devices such as smartphones in which maximising the viewable screen is crucial, virtual keyboards are ideal because they appear only when they are required. After they are done with they disappear, returning the area they occupied back to the user. In those environments in which miniaturization is not so important, physical keyboards are normally the preferred device to enter text into an application although many computers support virtual keyboards to cater for those instances when a keyboard is not available.

Security Virtual Keyboards (SVKs) have evolved from the standard virtual keyboard and are marketed by organizations that sell or use them as tools that enhance security. These keyboards are normally associated with particular text boxes in a form and will automatically pop up when the person filling the form lands on the text box associated with the SVK.

SVKs are similar to standard virtual keyboards in that both are not physical. They normally differ in that:
        The layout of the keys changes each time the SVK pops up;
        They disable input through a physical keyboard even when a physical keyboard is present;
        What is typed is not shown in the text box (as is the case with password fields).

While they are usually associated with password fields there are organizations that go wild and fire up SVKs with other inputs such as usernames.

SVKs are a bad idea and any security-conscious organization should avoid using them.

  1. Fact: SVKs make use of a pointing arrow (or finger)
In crowded environments such as offices and client-facing environments, observing the position of a moving white arrow or an index finger on a laptop touch screen is easier than observing the letters being punched in with a keyboard.


  1. Fact: SVKs slow users down.
Since the layout of the keys constantly changes users need to constantly reorientation themselves on where the keys are. This considerably slows down the user thereby making it easier for an onlooker to read what is being entered.

  1. Fact: SVKs advertise themselves to casual hackers.
In an office full of keyboards hearing the tapping of fingers on keys is an expected event. No one’s attention would be alerted. On the other hand, a keyboard-on-the-screen is not a common occurrence and a casual onlooker might be tempted to “discover more”.

  1. Fallacy: SVKs make it difficult for key loggers to grab a password.
Key loggers constitute the simplest and most basic method of eavesdropping. Today software that allows content to be captured go beyond simply reading the keyboard stream; they capture screens as well as all mouse actions thereby allowing SVKs to be circumvented.  So the act of simply moving keys around on a desktop will not circumvent malware that monitors such activity.

In the networked world we live in, most unauthorised eavesdropping has evolved beyond screens, they intercept the stream of communications between the device by tapping into the communication stream between the source of the communication (the user) and the destination (the place the user wants to interact with) or by pretending to be the destination (phishing).

Companies that market SVKs have a commercial intention of convincing us that their product enhances security and some of us take their advertising claims as factual. We need to challenge marketing statements so as to avoid a false sense of security.

Security is a dynamic topic that evolves. Even if something was an effective security tool in the past, changing technologies and how we work could not only make the tool ineffective but could be abused by hackers. One needs to constantly be on the alert.


Popular posts from this blog

HOWTO setup OpenVPN server and client configuration files using EasyRSA

HOWTO Generate password protected OpenVPN client configuration using EasyRSA.

Securing your Web Server using Let's Encrypt and Certify-The-Web