Or have the OS block it initially and popup a message saying what the device claims to be. The user either accepts or rejects, and if rejected the block stays in place. Only exception would be for the first keyboard/mouse plugged (unless there is a built in one, in which case even this wouldn't be an exception).

That makes it impossible to use laptops with broken keyboards, and makes it a hell to use anything with KVMs plugged.

The jimrandomh's idea very interesting. The only problem is defining what is the user's login password, but I'm sure it can be solved.

Different protocol for startup, where you select the keyboard you want. For a desktop with a good keyboard and a malicious USB both plugged in, it is going to need some way to know which one to go with anyways. The real threat is someone plugging in the bad USB after they are logged into their machine, at which point you already have a good keyboard (or are using mouse + onscreen keyboard).

Maybe even don't go with any keyboards to start, only a mouse and an onscreen keyboard and all others have to be approved.

Do KVMs unplug themselves from currently-untargeted machines, or do they just stop sending signals to those?

This instantly breaks Yubikey among other things.

A lot of security fixes break features that would otherwise be classified as exploits.

I suppose you'd need a user interface for authorizing things like that. Ideally, it'd be on the lock screen; show a message which says "New keyboard detected; sign in with that keyboard or click here and sign in with your existing keyboard to enable it". It's extra work, and makes it cross-cut through more modules, but it's hardly insurmountable.

Yubikeys are (or can be) permanently attached, so this wouldn't be a problem for those.

Quite so. I'd like a list of operating systems and what this thing does plugged into each. Is it just Windows for which this is targeted?

It works on Mac as well (FTA).

No

I wonder whether it's smart enough to adapt its keystrokes for non-Windows platforms, or whether it just does random things to peoples' computers in that case?

Yes.

It's mentioned in the comments.

That's referring to a different device, by a different commentator.

That's WAY too heavy-handed. what's wrong with a popup saying "do you want to set this up"?

How would you ever use one of these things as a guest on a computer (eg at a library kiosk)