Enhance Web Interface Security with a Virtual Keyboard Login

Yuri Haak over at CitrixThings.com has just released a "virtual keyboard login" to enhance the security of Web Interface 4.

Yuri Haak over at CitrixThings.com has just released a "virtual keyboard login" to enhance the security of Web Interface 4.2.

What's a virtual keyboard login? A virtual keyboard login is an application that displays an image of a keyboard on your screen. You then "press" the keys by clicking on them with your mouse instead of typing the actual keys. To enhance security, the data entry layout changes every time the page is refreshed.

A virtual keyboard can help protect from malicious spyware and trojan programs designed to capture keystrokes. My bank has started using this for web access to their accounts. As a user I find it really annoying, but I must admit that it seems to be effective.

You can download the Virtual Keyboard for WI 4.2 from CitrixThings.com.

Join the conversation

23 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Andrew Wood is the creator of this cool tool and he should get full credit for that..
 
Thanks!
 
Cancel
with a little help from Dmitry Khudorozhkov ;)
Cancel
as I was saying - Dmitry Khudorozhkov (kh_dmitry2001@mail.ru) wrote the javascript code for the keyboard - and thankfully Dmitry has granted permission to anyone to use that software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to some straightforward things.


Cancel
And you may remember Andrew is the guy who created the original WTSadm policy template.  Cool stuff Andrew.
Jim Kenzig
 
Cancel
I fair rattle them out don't I Jim ;)
Cancel
By the way I was thinking.. can you imagine this somehow tied into Biopassword.  Biometrics based on how you click on a virtual keyboard...
hmmmm
Jim
 
Cancel
hmm indeed - I'd not heard of Biopassword before. The VK was in response to a need to ensure that the logon was as secure as possible, in say a 'CSG' type environment; without the need for 3rd party software.

I'd reckon you'd just make the biopassword techies cry if you suggested it :)
Cancel
Will this work on WI running on Linux tomcat?
Cancel
Real cool! Permission to integrate it into Provision Networks' Web-IT as a standard option :)
Cancel
none of the code in it is IIS specific that I'm aware of - it'd be useful for some feedback.
Cancel
I've tried the virtual keyboard, and it works great. I was going to demonstrate it to a collegue, but i found it impossible to show it without letting him see my password. It's very easy to look over the shoulder and see what letters you are clicking on the virtual keyboard. So now you don't need an advanced keylogger to get the password, just have a look at whats beeing typed on the screen.
Cancel
Its a fair one. But, that would be the same with any data entry of a password/pin - if someone is stood over you watching, there is a chance they'll see and possibly then know your password.

As with any public terminal (be it a pc, or a cash machine) shouldn't users should be vigilent when entering their passwords/pins? 
Cancel
Can this be ported to Access Gateway/AAC ?
Cancel
My point is, it's easyer to hide what you are typing on the keyboard, than what you are clicking on the screen. Try it with someone watching, and you'll see what I mean.
Cancel
You can always configure a WI with VK as a resource in CAG/AAC, but then passthrough won't work. I doubt you can implement this on the portal page. I'm looking forward to get support for Swivel/PinSAFE in CAG. http://www.swivelsecure.com/?page=PINsafe
Cancel
No, I see where you're coming from. My tack/thought is - its more obvious if someone is looking directly at your keyboard or screen -  thats something thats in your user's control - I can see you watching  I will choose not to log in. As to whether there is a keyboard logger or not, thats not visibile to the user.

If you are very concerned then a single security measure, be it VK or a token  is probably not going to be enough. Then, maybe the solution is a combination of data entry options - possibly including the like of a VK; or not to allow public terminal access at all.
Cancel
which is a pity - you'd have to passthrough striahgt to the WI page. But,  there are cagesque solutions that aren't made by citrix that do support such functionality.
Cancel
Passthrough auth from CAG to WI does work; http://support.citrix.com/kb/entry.jspa?externalID=CTX106202
Cancel
Thats not quite what I meant - the cag doesn't allow you (that I can find) to upload customised authentication pages for the CAG itself. So while you can passthrough authentication, in order to have this functionality on the cag you couldn't authenticate to the cag before accessing the virtual keyboard.
Cancel
In AAC mode, the Access Gateway web pages are not stored on the CAG itself, they are on the AAC portal server and are cached by the CAG, turning the AG basically into a proxy, so you can change them. Authentication is also performed by the AAC portal and not the AG when in this mode.
Cancel
If you need a way to make secure login to your TS/Citrix farm try 'SMS Secure Access'.
It uses your mobilephone as a 'Token' and your Microsoft AD (and/or RADIUS) as the user/psw provider.
Link: http://smssecureaccess.meresol.dk
http://smssecureaccess.meresol.dk/screenshot.jpg
Cancel

I'd like to download the Virtual Keyboard, but I can't : CitrixThings site is out of order!

Is there another means to downloading it ? 

Cancel

www.litetype.comUse it for any of your needs 


Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close