If you're worried about keyloggers, you should also be concerned with other types of spoofing, even on machines you control (by software you do not).
If you're building a website, you can help mitigate keyloggers with One Time Password support, eg login via cellphone app (which doesn't have to have a signal but can store a million random codes a la the RSA dongle) unless that's somehow patented - is it?
But fake auth forms are equally egregious. For this, you simply need the user to enter (or receive) a relatively unique (1 in 10,000) phrase or icon that they remember when signing up. Then show this phrase when one of your input fields in your domain security context (iframe or popup) is focused. There is no way for other websites to grab that phrase or icon, and therefore the user is trained to check that YOUR field on YOUR domain is the one receiving keyboard focus.
I once wrotr a letter to Steve Jobs saying the iOS should also have something similar - that the system dialogs where you enter your admin username and password to authorize something should show you a familiar phrase or icon which userland apps can't screenshot, similar to how they protect copyrighted video. But he never replied or implemented it.
After all, Vista did it by darkening the screen... Any app can do that!
If you're building a website, you can help mitigate keyloggers with One Time Password support, eg login via cellphone app (which doesn't have to have a signal but can store a million random codes a la the RSA dongle) unless that's somehow patented - is it?
But fake auth forms are equally egregious. For this, you simply need the user to enter (or receive) a relatively unique (1 in 10,000) phrase or icon that they remember when signing up. Then show this phrase when one of your input fields in your domain security context (iframe or popup) is focused. There is no way for other websites to grab that phrase or icon, and therefore the user is trained to check that YOUR field on YOUR domain is the one receiving keyboard focus.
I once wrotr a letter to Steve Jobs saying the iOS should also have something similar - that the system dialogs where you enter your admin username and password to authorize something should show you a familiar phrase or icon which userland apps can't screenshot, similar to how they protect copyrighted video. But he never replied or implemented it.
After all, Vista did it by darkening the screen... Any app can do that!