Several years ago my financial institution displayed a keyboard so that users could point and click on the letters, numbers and special characters. Every time a user went to the login page he was presented with a keyboard with a different layout. Seemed like a good way to ensure keystroke software could not obtain passwords. Has anyone seen these and/or know why they aren't used?
That is mostly the same technology that my Trezor 1's use for entering their unlock PIN (used to access bitcoin wallets). However; the difference is that the scrambling of the character positioning is handled internally by the hardware device and not the computer. Haven't studied your application but it would seem to me that the computer would have to "know" what character is being clicked on. By using the same device for the entire process it wouldn't be as secure. Maybe solely one device being used created a security hole. Just a thought.