Only by encrypting the keystrokes of the user - and only decrypting them within the application itself - can keylogging malware be stopped, claims the authentication security specialist.
Mark May, StrikeForce's CEO, says that anti-virus software is actually the key culprit in the success of spear phishing attacks, rather than innocent users.
Every compromised organisation - from RSA, Citigroup, and Lockheed to the FBI and the CIA - has anti-virus software that completely failed to detect and stop keylogging malware that resulted from spear phishing emails, he adds.
According to May, keyloggers remain undetected in millions of compromised systems worldwide.
And, he notes, it is not realistic to expect people to change how they use email because it's central to everyday operations.
"Once users accidentally open malware-bearing emails, hackers easily defeat anti-virus software. Anti-virus attempts to match known malware patterns against static databases that require frequent updates. But new malware finds holes in these databases, shifts its patterns, and avoids detection", he explained.
May went on to say that, with single factor and RSA's two-factor hacked token authentication and anti-virus software failing, the most reliable way to stop security credential theft is through keystroke encryption.
"Keyloggers are winning the war because organisations with sensitive data are neglecting to implement keystroke encryption to protect logins and passwords", he said.
"Keystrokes can be encrypted inside system kernels and carried through channels keyloggers don't typically inhabit. Two-factor, out-of-band authentication should also be used", he added.