Another proposal from last week on how to avoid key loggers is - quite hard to read - is here
It has the nice feature of relying on the human brain to ‘extend’ the verification chain, so it doesn’t end at the client-terminal. This basically makes key logging useless (although if your credentials are compromised it is recommended to change them). Additionally at the same time it solves the problem of bots. Bots can neither create or login to an account.
There is still (at least) one issue to resolve with the current proposal. I’ll try to write it out self-contained and clear, and hopefully we can find an elegant solution to those last problems too.