Even if the attacker uses malware to record inputs and outputs from the device of the user and evaluates it, they do not manage to obtain the required credentials of the user. We assume that the attacker is able to infect devices that we use in our everyday life such as, personal computer and smartphone with malicious software, but they are not able to modify closed systems such as hardware tokens.