This bank's website* has a login form for their internet banking section. They disable the password field, and display a randomised virtual keyboard under the login form where users must click on the buttons to add characters to the password field.

* I don't know whether I'm allowed to actually link to the bank's website for demonstration purposes, so I'm not doing that. I can add it if it helps.

Virtual Keyboard

I think this is terrible because:

  1. It makes it a lot harder for users to type in their password.
  2. People looking over their shoulder can easily see what key the cursor is on, and thus undermine the whole point of password obfuscation.
  3. The restrictions on the password field are client-side and easily to disable.

Is there any good reason to use this kind of technique that perhaps I am missing?

The use of an onscreen keyboard (especially randomized) is a big inconvenience to users - and that, in general, is bad for security.

Technically, any onscreen keyboard is deployed to fight keyboard loggers (a real problem since most banking trojans use this). Randomizing the keyboard helps against mouse action recorders.

However, in this case, by disabling the password field (especially since it prevents password managers from working), the bank is doing more harm to their users than good. IMHO, the net impact on security is negative.

Two parts to my answer

First, disabling the password field is bad user experience and blocks password managers which I think adds NO security.

Second, I think the on screen keyboard does offer 'good' security - good meaning adequate for level of threat for majority of users. Keeping the answer related to security it can help mitigate against some key loggers. Yes shoulder surfing is possible but being aware of this should allow you to use some common sense practises to mitigate that, and for users who don't have any common sense then I suspect watching them type on a keyboard is just as easy or even asking them for the password. (But yes this is a negative)

Is there any good reason to use this kind of technique that perhaps I am missing?

Apart from what I have put above then no. Implementations like this add to improve the users feeling of security, especially for their majority none security aware users.

