Following the news that HP has now patched the keylogger function installed with its audio drivers, Kyle Lady commented below.
Kyle Lady, Sr R&D Engineer at Duo Security:
“Any sort of 2FA that is “out of band”—uses a different communication channel than the keyboard—can protect you from a keylogger. This include push-to-mobile-app, U2F security key, or phone call. If your 2FA method requires that you type in a passcode, from an app, a token, or an SMS message, this would still get logged. It wouldn’t be useful to an attacker in the future, but if an attacker could read your keystrokes in real-time, they might be able to use the same code before it expires. Keyloggers are rare, compared to phishing, so some sort of 2FA is better than no 2FA, but this is why we recommend U2F security keys and push-based apps as the *most* secure options. NIST even has retracted their endorsement of SMS-based passcodes due to the potential for successful attacks against that factor.”
