Vidoop OpenID Image Grid

Usernames and passwords have been around for ages, and password cracking techniques have been getting more advanced. Now there are phishing scams that are designed to confuse the user with a realistic looking site, and there are keyloggers that try to record passwords typed in with the keyboard. Is Vidoop the solution to these vulnerabilities?

Vidoop has developed what they believe to be a more secure way for users to login to sites. It completely eliminates the need passwords by replacing it with an image recognition system. It runs off of sites that support OpenID, and here are some more details on how a user would set it up:

  1. When a user enrolls, he chooses image categories from a bank of possible image content (such as airplanes, cars, or keys). This constitutes the shared secret.
  2. Upon proof of receipt of an access code transmitted out-of-band by e-mail or phone, the user’s computer is activated with a software token.
  3. At the time of login, if the token is found, the Vidoop Dynamic Image Grid, which includes pictures belonging to the user’s chosen categories, is displayed.
  4. The user selects the images by typing the random letter shown with the image, forming a one-time access code.

One of the big keys to this working is the token that gets stored on your computer. Without that token the Image Grid will never be displayed, thereby making it impossible for a hacker to try and brute force their way into your account. What if someone got their hands on my token (maybe by stealing my computer)? If they knew the possible categories Vidoop offered then they could record what categories the images fall into each time they are displayed. They can then run a comparison to see what two categories appeared each time. I actually think a brute force attack using Vidoop could be easier than a normal password.

There is also a revenue stream available through the use of images. For example, if a user chooses “cars” as one of their categories there could be some sponsors who will display their car in the grid. Vidoop will share any revenue generated via the sponsorships with the site publisher.

Here’s a 5-minute video demonstration on how Vidoop actually works, and after you get done watching it leave your feedback in the comments below. I’m interested in whether you think something like this could actually take off.

Thanks for the tip Pieter!