Use virtual keyboard to help with security?

These solutions are pretty naive. When someone uses such a feature to make them more secure or does not know what they are doing or is just practicing marketing.

Virtual keyboards can be easily captured. When a machine is compromised nothing that is in it can be used with confidence. There is no point in using artifice to avoid the collection of sensitive information.

It's true that many keyloggers are not sophisticated and just capture the same keyboard. But if you want security you can not trust the bad luck of the infected machine to have a bad keylogger.

I would not recommend some such software because they just create illusion of security, even the most sophisticated ones that try to block screen capture or other protections. Any solution that works, crashes when hackers want.

A virtual keyboard could be considered one of the elements that make up an arsenal needed to increase the level of security of a solution.

It can at least free the user from an information leak category, which is the keyloggers based on key capture. If the user does not press a key, a pure keylogger can not capture the input .

However, if malware also captures click events and screen images, then it can identify where the user clicked on the virtual keyboard. To avoid discovering the same password with screen capture, a known technique is to place two or more numbers or letters on each button. It's like that at several ATMs.

Even so, a specific and more sophisticated malware could monitor the value of form fields. To mitigate this risk, instead of the virtual keyboard buttons "typing" the same number or letter being displayed, the value could be a randomly generated server-side symbol for this session. Since the symbol would change with every user access.

Even with all this, an malware installed on the machine could still get undue hits, but certainly the level of difficulty and restrictions imposed by these and other techniques can decrease security risks by raising the level demanded of knowledge and sophistication of the attack to realize an "invasion".

In practice, I have no data to tell you how much a virtual keyboard can or can not contribute to improved security. Although many financial institutions make use of this feature, global companies, such as PayPal, do not adopt it.

If I were to implement some authentication mechanism in risky applications, I would spend a lot of time studying the existing solutions and would never adopt any "ready" solution for some blog or tutorial.