Actually, I think there's a relatively easy solution, make it so every single time they want to login, have a different set of characters line up to their password.Shannon Johnston wrote:
Hi All, I'm looking for input on what you all believe the most common keystroke loggers are. I've been challenged to write an authentication method (for a web site) that can be secure while using a compromised system.
I don't think that's possible for all compromise situations, given today's desktop OS software. It might be possible with a Palladium-like system (and you trust that the secure side isn't compromised) and/or a hardware assist that doesn't trust the host OS (think small USB-attached computer on a stick.)
However, given your query, if you simply want to play the known-threats game, you can just require that the Client have up-to-date AV and antispyware software, and scans clean. That's a little orthogonal to the issue of trying to be secure in the face of a keylogger installed, but probably a better thing to shoot for.
If, for some reason, you only care about the case where a "keylogger" is installed, then you can go with some scheme like making the user pick numbers of a randomly-scrambled keypad on the screen, with the mouse.
Note, however, that "keyloggers" that grab some portion of the screen surrounding the mouse pointer every time you click have already been observed in the wild. They are designed to specifically defeat this kind of mechanism.
Kyle
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/