Does the use of an on-screen keyboard give a false sense of security or protect against all types of keyloggers?

Question

Does the use of an on-screen keyboard (OSK) give a false sense of security? For example when people use the OSK in an attempt to prevent key-loggers from logging information like passwords, typed on an actual (hardware) keyboard.

Like the OSK of Microsoft as shown in the image below.

I assume using a OSK does prevent an attack with an hardware key-logger like in the image below, but do OSK's also prevent software key-loggers from logging information?

Another example is a website that has it's own OSK implemented on the password field, using HTML and JavaScript.

Answer 1

Yes, it is most often just a useless "security measure".

We need to define the threat model and then if an on screen keyboard provides a proper mitigation.

A OSK will protect against two threats:

• A hardware keylogger

• A software keylogger that is only looking at the keyboard state (does not attempt to defeat a OSK).

One should note the the difference however that not all on screen keyboard implementations are the same. For instance on Windows the OSK could be running at an higher User Interface Privilege Isolation (UIPI), or in Android where pretty much no implementation uses a hardware keyboard, such app needs a special permission.

What applications are implementing on screen keyboards? Websites.

That is, those that are forcing the usage of an on-screen-keyboard are doing so at their same privilege level, and as a result of the platform (the browser) they are running in, they can't actually do any better.

Now, on screen keyboards were useful back in the day, when banking trojans were stealing users and passwords through keyloggers. On screen keyboards on the web sites fixed that by having the user not to type their password with the keyboard. Then malware quickly adapted and started to also capture the screen, an image around the mouse, etc. overcoming the solution.

Banking trojans have been doing this for over a decade. Thus the security added by such keyboards has been nearly zero for years.

Given that the probability of the user having a hardware keylogger is negligible, they are only protecting from "amateur keyloggers".

At this point, you may be thinking that it may still be worth even for such tiny return. However, they have a number of drawbacks too:

• Bad usability

  • Hard for people with low motor skills controlling the mouse (newbies)
  • Annoying for fast typists (experts)
  • Confusing for everybody when randomising the order

• Accessibility concerns

• Makes the password vulnerable to shoulder surfing

• Doesn't allow entering the password with a pass manager

• No muscle memory

• Slower to enter

• As it makes harder to "type" the password, it actually encourages using a weaker password

which in my humble opinion weight the decision clearly for not requiring an on screen keyboard.

Note that there's no problem with adding an optional OSK. And if your customers are likely to use an alphabet with characters outside the ASCII range, it may actually be appropriate to provide them an OSK so they can type them when using a foreign keyboard. But this is accessibility, not security (albeit it's indirectly supporting the use of special characters).

Answer 2

If an attacker is aware that an OSK may be used (and that becomes more and more common with touch devices), he can prepare an OSK attack, e.g.:

• capture screenshots of the OSK and identify keys pressed (e.g. because they have a different color)
• an his own OSK on top of the existing OSK (similar to clickjacking)
• add a kernel mode driver to do whatever, e.g. access the content of the password box directly

Again, law no. 1 of computer security applies:

If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.