Idea for More Secure Onscreen Keyboard Login

Tell us what features would make LastPass even better and vote for features that are most important to you

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

Idea for More Secure Onscreen Keyboard Login

Postby Merlin » Tue Sep 01, 2009 1:31 pm

Hi Joe and Team - Thank you for being so responsive to questions and suggestions.

The on screen keyboard plus the option of one-time passwords are a fantastic solution to defeating keyloggers and spyware, but I believe it could be taken one step further.

Here's the scenario - I am traveling or simply at an internet cafe. I do not use a yubikey or thumbdrive for authentication (or I've lost it), I don't have any one-time passwords set up, and there is spyware installed on the computer I'm using. This is sophisticated spyware, of the type that takes screen captures, maybe it is even set to start recording when users hit known login pages (such as banks, credit cards, gmail, or lastpass). I believe the current on-screen keyboard would be defeated, as the software could record the user's inputs visually.

This scenario has led me to not fully trust the login when anywhere but my home computers - I suggest that you replace or supplement the on-screen keyboard with a keyboard designed using the below method, based on this paper: "Defeat spyware with anti-screen capture technology using visual persistence" by J. Lim - http://tinyurl.com/l48nhz
Essentially, using javascript, this randomized keyboard or keypad rotates images at a rate faster than a recording or screen capture tool would be grabbing screenshots, so the only result of a screen capture or recording would be a tiny portion of the letter/number on the key. Our eyes/brains would be assembling the keyboard in front of us but software would not be able to perceive it.

Let me know what you think - this would be a fantastic addition to your site, and would enhance my trust of the service. Thank you!

Also - as a side note - the captcha to register for your forum is the most exceptionally difficult to read captcha I have ever seen. I suggest ReCaptcha as a great, legible solution. :)
Merlin
 
Posts: 6
Joined: Tue Sep 01, 2009 1:17 pm

Return to Feature Requests

Who is online

Users browsing this forum: Google [Bot] and 27 guests