Does using virtual keyboard help security?
Does the use of virtual keyboards (the same as Google search) prevent the typed data from being collected by Keyloggers? If yes is there any virtual keyboard they can indicate?
2 answers
These solutions are pretty naive. When someone uses such a feature to give more security or does not know what they are doing or is just practicing marketing.
Virtual keyboards can be captured easily. When a machine is compromised nothing that is on it can be used with confidence. There is no point in using gimmicks to prevent the collection of sensitive information.
It is true that many keyloggers are not sophisticated and only capture the keyboard itself. But if you want security you can't rely on the luck of the infected machine being with a bad keylogger .
I wouldn't recommend some software like that because they just create the illusion of security, even the most sophisticated ones that try to block the screenshot or other protections. Any solution that works stops working when hackers want to.
A virtual keyboard could be considered one of the elements that make up an arsenal necessary to increase the level of security of a solution.
It can at least rid the user of a category of information leakage, which are the key capture-based keyloggers. If the user does not press a key, a pure keylogger fails to capture the input.
However, if malware can also capture the events from the click and the screen images, then it will be able to identify where the user clicked on the virtual keyboard. To avoid password discovery even with screen capture, a known technique is to put two or more numbers or letters on each button. It is so in various ATMs.
Even so, a specific and more sophisticated malware could monitor the value of form fields. To mitigate this risk, instead of the virtual keyboard buttons "type" the same number or letter being displayed, the value could be a randomly generated server-side symbol for this session. The symbol would change with each user access.
Even with all this, a malware installed on the machine could still gain improper access, but certainly the level of difficulty and restrictions imposed by these and other techniques can decrease security risks by increasing the required level of knowledge and sophistication of the attack to concretize an "invasion".
In practice, I have no data to tell how much a virtual keyboard can or can't contribute to improved security. Although many financial institutions make use of this feature, global companies, such as PayPal, do not adopt it.
If I were to implement some authentication mechanism in risky applications, I would spend quite a bit of time studying the existing solutions and would never adopt any "ready" solution from some blog or tutorial.