Usernames and passwords have been around for ages, and password cracking techniques have been getting more advanced. Now there are phishing scams that are designed to confuse the user with a realistic looking site, and there are keyloggers that try to record passwords typed in with the keyboard. Is Vidoop the solution to these vulnerabilities?
Vidoop has developed what they believe to be a more secure way for users to login to sites. It completely eliminates the need passwords by replacing it with an image recognition system. It runs off of sites that support OpenID, and here are some more details on how a user would set it up:
- When a user enrolls, he chooses image categories from a bank of possible image content (such as airplanes, cars, or keys). This constitutes the shared secret.
- Upon proof of receipt of an access code transmitted out-of-band by e-mail or phone, the user’s computer is activated with a software token.
- At the time of login, if the token is found, the Vidoop Dynamic Image Grid, which includes pictures belonging to the user’s chosen categories, is displayed.
- The user selects the images by typing the random letter shown with the image, forming a one-time access code.
One of the big keys to this working is the token that gets stored on your computer. Without that token the Image Grid will never be displayed, thereby making it impossible for a hacker to try and brute force their way into your account. What if someone got their hands on my token (maybe by stealing my computer)? If they knew the possible categories Vidoop offered then they could record what categories the images fall into each time they are displayed. They can then run a comparison to see what two categories appeared each time. I actually think a brute force attack using Vidoop could be easier than a normal password.
There is also a revenue stream available through the use of images. For example, if a user chooses “cars” as one of their categories there could be some sponsors who will display their car in the grid. Vidoop will share any revenue generated via the sponsorships with the site publisher.
Here’s a 5-minute video demonstration on how Vidoop actually works, and after you get done watching it leave your feedback in the comments below. I’m interested in whether you think something like this could actually take off.
Thanks for the tip Pieter!
Hey, Ryan.
Thanks for writing the piece. We appreciate your interest and the attention you’re giving Vidoop.
A quick response may be in order, though. First, if you were to try to attack you described, by activating a computer and then successively reloading the grid to try to see which categories appeared every time, you would see the same set of categories on each reload. Every user has a “category bundle”, which is the full set of categories his grid shows each and every time it pops.
As for getting your computer lost or stolen, that’s part of the effectiveness of a two-factor authentication system — even when one part is compromised, the other still stands in the way of the thief. Plus, you can sign into myVidoop and immediately deactivate the missing computer’s soft token.
Anyway, thanks so much for mentioning us. If you have any questions I’d be happy to answer them for you.
George
That does make sense, and I would be a bit more comfortable using that now. I just don’t see sites breaking away from the standard text-based passwords because of the initial confusion it would cause users.