[FabHK]

Well, that's better though. So even if there's a key logger and mouse click recorder on your machine, one cannot recover your password. Though, if your machine is that compromised, might as well have a screen recorder, too. Though that would create more outgoing traffic.

[jiveturkey]

don't need a screen recorder. the keycap images are trivially machine readable.

this technique is actually good if implemented correctly -- with secure display where the host OS cannot read the image data. some predecessor to SGX whose name I don't recall had this feature. the idea is to enter a PIN though, not a friggin password.

treasurydirect seems to have only taken away the trivial aspect of it without understanding the underlying reasons and details. you know, like what most companies do with Agile.

[darkhorn]

This means that they don't use 2FA. In Turkey 2FA is mandatory for all banks, via SMS or app on the phone.