Brian Madden Logo
Your independent source for application and desktop virtualization.
Blogs » Original Blogs on BrianMadden.com » Brian Madden » Enhance Web Interface Security with a Virtual Keyboard Login
Marketplace

advertisement
Brian Madden's Blog

Syndication

Recent Posts

Tags

View more

Archives

Enhance Web Interface Security with a Virtual Keyboard Login

Written on Jul 30 2006
Filed under: , ,
10,688 views, 23 comments

by Brian Madden

Yuri Haak over at CitrixThings.com has just released a "virtual keyboard login" to enhance the security of Web Interface 4.2.

What's a virtual keyboard login? A virtual keyboard login is an application that displays an image of a keyboard on your screen. You then "press" the keys by clicking on them with your mouse instead of typing the actual keys. To enhance security, the data entry layout changes every time the page is refreshed.

A virtual keyboard can help protect from malicious spyware and trojan programs designed to capture keystrokes. My bank has started using this for web access to their accounts. As a user I find it really annoying, but I must admit that it seems to be effective.

You can download the Virtual Keyboard for WI 4.2 from CitrixThings.com.

Comments

Yuri Haak wrote Well Actually....
on 07-31-2006 2:18 AM
Andrew Wood is the creator of this cool tool and he should get full credit for that..
 
Thanks!
 
Guest wrote RE: Well Actually....
on 07-31-2006 4:41 AM
with a little help from Dmitry Khudorozhkov ;)
Andy Wood wrote RE: Well Actually....
on 07-31-2006 4:45 AM
as I was saying - Dmitry Khudorozhkov (kh_dmitry2001@mail.ru) wrote the javascript code for the keyboard - and thankfully Dmitry has granted permission to anyone to use that software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to some straightforward things.


Guest wrote RE: Well Actually....
on 07-31-2006 10:16 AM
And you may remember Andrew is the guy who created the original WTSadm policy template.  Cool stuff Andrew.
Jim Kenzig
 
Andy Wood wrote RE: Well Actually....
on 07-31-2006 10:17 AM
I fair rattle them out don't I Jim ;)
Guest wrote RE: Well Actually....
on 07-31-2006 10:19 AM
By the way I was thinking.. can you imagine this somehow tied into Biopassword.  Biometrics based on how you click on a virtual keyboard...
hmmmm
Jim
 
Andy Wood wrote RE: Well Actually....
on 07-31-2006 10:27 AM
hmm indeed - I'd not heard of Biopassword before. The VK was in response to a need to ensure that the logon was as secure as possible, in say a 'CSG' type environment; without the need for 3rd party software.

I'd reckon you'd just make the biopassword techies cry if you suggested it :)
Guest wrote Linux running Tomcat
on 07-31-2006 3:55 PM
Will this work on WI running on Linux tomcat?
Peter Ghostine wrote RE: Well Actually....
on 07-31-2006 7:43 PM
Real cool! Permission to integrate it into Provision Networks' Web-IT as a standard option :)
Andy Wood wrote RE: Linux running Tomcat
on 08-01-2006 2:59 AM
none of the code in it is IIS specific that I'm aware of - it'd be useful for some feedback.
Magnar Johnsen wrote VK is nice, but is it really improving security?
on 08-01-2006 6:22 AM
I've tried the virtual keyboard, and it works great. I was going to demonstrate it to a collegue, but i found it impossible to show it without letting him see my password. It's very easy to look over the shoulder and see what letters you are clicking on the virtual keyboard. So now you don't need an advanced keylogger to get the password, just have a look at whats beeing typed on the screen.
Andy Wood wrote RE: VK is nice, but is it really improving security?
on 08-01-2006 9:35 AM
Its a fair one. But, that would be the same with any data entry of a password/pin - if someone is stood over you watching, there is a chance they'll see and possibly then know your password.

As with any public terminal (be it a pc, or a cash machine) shouldn't users should be vigilent when entering their passwords/pins? 
Guest wrote Access Gateway/AAC version
on 08-02-2006 1:23 AM
Can this be ported to Access Gateway/AAC ?
Magnar Johnsen wrote RE: VK is nice, but is it really improving security?
on 08-02-2006 2:52 AM
My point is, it's easyer to hide what you are typing on the keyboard, than what you are clicking on the screen. Try it with someone watching, and you'll see what I mean.
Magnar Johnsen wrote RE: Access Gateway/AAC version
on 08-02-2006 2:59 AM
You can always configure a WI with VK as a resource in CAG/AAC, but then passthrough won't work. I doubt you can implement this on the portal page. I'm looking forward to get support for Swivel/PinSAFE in CAG. http://www.swivelsecure.com/?page=PINsafe
Andy Wood wrote RE: VK is nice, but is it really improving security?
on 08-02-2006 12:44 PM
No, I see where you're coming from. My tack/thought is - its more obvious if someone is looking directly at your keyboard or screen -  thats something thats in your user's control - I can see you watching  I will choose not to log in. As to whether there is a keyboard logger or not, thats not visibile to the user.

If you are very concerned then a single security measure, be it VK or a token  is probably not going to be enough. Then, maybe the solution is a combination of data entry options - possibly including the like of a VK; or not to allow public terminal access at all.
Andy Wood wrote no sadly...
on 08-02-2006 12:46 PM
which is a pity - you'd have to passthrough striahgt to the WI page. But,  there are cagesque solutions that aren't made by citrix that do support such functionality.
Magnar Johnsen wrote RE: no sadly...
on 08-04-2006 3:38 AM
Passthrough auth from CAG to WI does work; http://support.citrix.com/kb/entry.jspa?externalID=CTX106202
Andy Wood wrote RE: no sadly...
on 08-05-2006 5:25 AM
Thats not quite what I meant - the cag doesn't allow you (that I can find) to upload customised authentication pages for the CAG itself. So while you can passthrough authentication, in order to have this functionality on the cag you couldn't authenticate to the cag before accessing the virtual keyboard.
Guest wrote RE: no sadly...
on 08-21-2006 1:51 AM
In AAC mode, the Access Gateway web pages are not stored on the CAG itself, they are on the AAC portal server and are cached by the CAG, turning the AG basically into a proxy, so you can change them. Authentication is also performed by the AAC portal and not the AG when in this mode.
Teddy Brask-Andersen wrote Secure login by using your mobile phone
on 04-18-2007 6:13 AM
If you need a way to make secure login to your TS/Citrix farm try 'SMS Secure Access'.
It uses your mobilephone as a 'Token' and your Microsoft AD (and/or RADIUS) as the user/psw provider.
Link: http://smssecureaccess.meresol.dk
http://smssecureaccess.meresol.dk/screenshot.jpg
Guest wrote CitrixThings site KO
on 07-23-2007 5:55 AM

I'd like to download the Virtual Keyboard, but I can't : CitrixThings site is out of order!

Is there another means to downloading it ? 

Guest wrote Virtual keyboard for everyone
on 09-06-2008 6:24 AM

www.litetype.comUse it for any of your needs 

(Note: You must be logged in to post a comment.)

Copyright © 1997-2008 The Brian Madden Company, LLC | Disclosures | Privacy | Terms of Use | Contact Info