As far as I know, there is no way to prevent it from a server perspective, since keyloggers work from such a low-level perspective on the desktop.

There *may* be something that you can use coded in ActiveX or maybe even Java.

We used to have an applet for biometric identification using keystrokes, for web-based examinations and so on, but I can't recall if we were able to prevent replay attacks. I'm pretty sure we weren't able to, since the applet was not nearly as fine-grained as the pure windows app, which we could prevent keyloggers from running and capturing keystrokes.

If you're building an intensely secure system, and cost is not a particular issue, you may be able to speak with some of the makers of key logger detection software, and see if you could re-bundle the installer to "phone home" to your server once installed and verify that it is installed on such and such users' computer. The other method would be to require the user to agree to a EULA every time they log in that they have installed anti-keylogging software, and if they haven't, they understand that you're not liable for blah blah blah.

I found a free keylogger detector at Keylogger Hunter [styopkin.com]. That may be of some use to you.

The ahrdest part will be that you'll be inconveniencing your users, but so long as they understand why this is the way it has to be, and you're protecting their data, they should be agreeable, depending on the need for security.

At anyrate, I hope I've been of some help!

-MM

It is possible but I dont know any off hand for keystroke recorders. The fun keystroke recorders are the hardware based ones such as the KeyKatcher, undetectable by software currently.

Thank you both for your response. I am not interested in hardware detection or "ultra" security, just a relatively modest effort to ensure that our users are not accidentally endangering their own information.