Hi Joe and Team - Thank you for being so responsive to questions and suggestions.
The on screen keyboard plus the option of one-time passwords are a fantastic solution to defeating keyloggers and spyware, but I believe it could be taken one step further.
Here's the scenario - I am traveling or simply at an internet cafe. I do not use a yubikey or thumbdrive for authentication (or I've lost it), I don't have any one-time passwords set up, and there is spyware installed on the computer I'm using. This is sophisticated spyware, of the type that takes screen captures, maybe it is even set to start recording when users hit known login pages (such as banks, credit cards, gmail, or lastpass). I believe the current on-screen keyboard would be defeated, as the software could record the user's inputs visually.
This scenario has led me to not fully trust the login when anywhere but my home computers - I suggest that you replace or supplement the on-screen keyboard with a keyboard designed using the below method, based on this paper: "Defeat spyware with anti-screen capture technology using visual persistence" by J. Lim - http://tinyurl.com/l48nhz
Let me know what you think - this would be a fantastic addition to your site, and would enhance my trust of the service. Thank you!
Also - as a side note - the captcha to register for your forum is the most exceptionally difficult to read captcha I have ever seen. I suggest ReCaptcha as a great, legible solution.