Keylogger web application protection

Many applications make futile attempt to foil keyloggers and spyware by using convoluted (and cumbersome) password entry methods. None work against keyloggers and many actually cause users to be LESS secure because they make it hard to use password managers.

The best way to handle that kind of things is to use one-time passwords. There are several ways to go about it so let me suggest two: TOTP (RFC 6238) works with many software authenticators (Google authenticator, for instance) so it's both convenient, cheap to implement and free to use. It does require the user to set things up and have a smartphone, though.

Another approach it to send a one time password through SMS. This is a bit more expensive (because you have to send the message) but it's also easier for the user (who only needs a mobile phone and no setup).

If you were dealing with keyloggers in isolation, then it might be possible to mitigate the risk (e.g. using on-screen keyboards, 2FA or similar), however if an attacker has the ability to install a keystroke logger on the system it is very likely (apart from physical keystroke loggers) that they have privileged access to the system in question and as such would be likely able to circumvent any other protections you put in place (assuming that they're motivated to do so)

For example, as this is a web application, say you implement 2FA, once the user has authenticated, a session token is issed and then in general remains valid until an idle timeout occurs or the user explicitly logs out. If an attacker has privileged access to the system it would be possible for them to issue "keep-alive" requests to prevent idle lockout and use browser injection to defeat the logout.

If you're concerned about users accessing a privileged system from compromised clients, the a better solution is to make use of dedicated/locked down devices and restrict access to only those devices.

JavaScript cannot control low system calls and change them to get that keystroke interference. Even user-mode software protections are defeated by kernel-mode keylogging.

You can protect against hardware keyloggers by having an onscreen keyboard, which can be easily implemented.

Software keyloggers are more powerful. Smart banking trojans also capture HTTP requests and screenshots when the mouse is clicked in the banking website. Some also steal one-time-passwords or bypass them.