A picture is worth a thousand words, especially when those words are passwords you can’t remember. An OpenID startup called Vidoop aims to replace your usernames and passwords with a grid of pictures that may contain visual advertisements. To encourage adoption of its user authentication technology, Vidoop will announce today at the Internet Identity Workshop its intention to pay affiliates, starting January 1st, for the logins to their sites that transpire under the myVidoop service.
MyVidoop serves as both a password keychain for all of the sites you log into across the web, as well as an OpenID account provider. Signing into an OpenID-enabled site with myVidoop, or retrieving all of the passwords in your myVidoop keychain, involves not a username and password, but rather a visual grid of images that fall into particular categories. When you first create a myVidoop account, you pick 3-5 types of images (e.g. birds, skyscrapers, flowers, cars). Then whenever you need to authenticate with myVidoop, you simply type the letters of the images in a randomly generated grid that fall into your chosen categories.
There are two main advantages to using this visual authentication system rather than a tradition username and password scheme. The first is security: because you never need to use a username and password (at least with the “pure” OpenID functionality of myVidoop - the service provides merely a layer for non-OpenID authentications), there’s no way for someone to obtain your credentials and create a robot that hacks into your accounts.
Visual authentication requires that a human - or perhaps (impossibly) smart computer - comprehends the images in a grid and the categories they fall into, plus has knowledge of the categories you have chosen (and are less likely to have written down somewhere). On top of this, myVidoop only lets you authenticate on pre-approved machines so the hacker would need to be sitting at your computer, or have possession of your cell phone to undergo approval, to gain access to your myVidoop account and all its stored passwords.
The second advantage is the potential for generating revenue through advertisements. The images in the login grid can be generic, or they can promote a particular brand or product just like advertisements elsewhere on the web. Vidoop has already signed six partners to advertise through its picture grid (such as ConocoPhillips and SmartUSA, a division of Daimler Benz; you’ll see an ad for the gas station 76 in the screenshot above). Currently, Vidoop sells spots directly to advertisers and the ads are simple image overlays. However, the company is developing an API so that ad networks can channel their content into the grid. Vidoop is also working on interactive overlays with product and service offers that are tailored to users’ locations and preferences (see the map for finding local gas stations below).
The advertising potential of the Vidoop authentication system promises to benefit not only Vidoop but its partner sites as well, which is where today’s announcement comes into play. Starting January 1st, Vidoop will pay partner sites 1/100th of a cent every time someone uses myVidoop to sign into their sites. So, if you are a site owner who has 5,000 logins per day through myVidoop, you’ll get only $15 per month. But if you can persuade 1M of your users to log in with myVidoop every day, you’ll earn $3,000 per month.
Payments will only be doled out when users with OpenID accounts provided by Vidoop sign into your site, not when they simply use myVidoop’s password keychain functionality to authenticate with your proprietary username/password scheme. Nor will you make any money if the user opts for an OpenID account provided by someone else. For these reasons, it’s a bit hard to predict when (or if) the myVidoop revenue-sharing system will ever become attractive enough to yield mass adoption (although sites merely need to allow for OpenID authentication and sign up with Vidoop to begin collecting revenue).
OpenID usage in general will need to reach a critical mass before sites can expect to earn a decent amount of money through Vidoop partnerships. However, the company believes that this critical mass could be around the corner, especially if several of the big players (such as Google, Microsoft, and Yahoo in addition to AOL) begin providing OpenIDs to their users. The push for decentralized social networking through the likes of OpenSocial may require these companies to support a universal authentication system, and OpenID would be a natural choice. Vidoop stands to gain from widespread adoption since increased awareness of OpenID would cause more users to sign up for Vidoop. However, increased awareness would also heighten concerns about the security of universal authentication systems, and consequently make Vidoop’s patent-pending visual authentication scheme more attractive to both users and sites alike.
>> “Starting January 1st, Vidoop will pay partner sites 1/100th of a cent every time someone uses myVidoop to sign into their sites.”
Considering the number of sites that offer a “remember me” feature to prevent you the hassle of logging in constantly, this doesn’t seem like the best method to compensate partner sites.
Impressed. Serious productivity boost with non-intrusive ad potential. Yep, this has to win Genius Idea of the Week award.
pass/fail?
fail
After registering with Vidoop through an affiliate site, it s not necessary for those users to log into that site t earn the reward; they just have to log into myVidoop on their way to ANY site that accepts OpenID. So a long as an affiliate signs up enough people and hope that huge number of sites accept OpenID.
Old hat I am afraid its just a differant spin on KittenAuth or humanauth
http://www.kittenauth.com
http://www.gigoit.org/humanauth/
personally I would not trust them nice but I would prefer to give my 100th to charity because thats a 100th of well nothing… is still nothing
Microsoft did alot of research in this area…
regards
John Jones
http://www.johnjones.me.uk
Not a bad idea. Though its not something I’ll be adopting today.
Patent pending? KittenAuth certainly qualifies as prior art.
I really like this idea, and given my rampant adblocking probably the only way brands are going to get onto my screen.
Vidoop’s authentication scheme is garbage. Do the math: (12 choose 3). Let’s trust all our passwords to an 8-bit secret. Great idea there, chief. Lets throw in some ads to make it even more worthless and unusable.
But wait! The computer is “pre-authorized”. Translated through the bullshit filter, that means “a cookie”, which they probably call “two-factor authentication”.
“There’s no way for someone to obtain your credentials and create a robot that hacks into your accounts.”
Vidoop is entirely vulnerable to screen-scraping and cookie-stealing malware. This is exactly how image-based login systems have been attacked and broken in the past. This is trivial to implement.
Even if we assume the attacker doesn’t screen-scrape, once you have stolen the cookie, you have three trials to guess an 8-bit password. That means 1.5% of infected Vidoop users would have all their passwords compromised by the dumbest attack possible.
Fortunately, Vidoop is destined for failure and won’t have a large enough user base for anyone to bother attacking it. Any users they do have will get what they deserve: FAIL.
The problem is, that a computer shouldn’t be “incredibly smart” to do this: it’s just a matter of neural network, which exists for 50 years, although less known in popular technology; Lenovo fingerprint authentication works like such.
No matter what you choose for password, there’s one thing for sure: in about 100 requests, the most frequent pattenrs and shapes will be one of your passwords.
I do not say it can be breaked within a second; but it certainly does not last more than an hour - even if you use a human instead of a computer.
Which sounds like the most stupid, self-defeating idea I’ve heard .. ooh, all week!
What the hell is the point of adding yet one more layer to a sign-in scheme that’s meant to remove such things?
As we say in these parts, daft!
Yaaaaaaaawn
Centinel Corp already has the out of band one time password generation logic as voice token in 2006 and have a patent hence Vidoop is already in patent violations. Plus the storing the cookie in the computer already defeats the security as people can get this cookie from your computer and this increases the security vulerabilities.
SG
@Garbage, you make some very good points, but I think you should be careful to keep in mind what you’re comparing against.
Today most of us protect the cash in our checking accounts with a tiny little 4-digit secret in the form of an ATM PIN. And if you ever give a waiter 3 minutes alone with the corresponding card, it’s trivial for him to clone it. With the requirement for an attacker to both clone a card and guess the PIN successfully, however, the security layers build together to provide security that’s good enough for every bank.
I agree that a cookie is not as strong as using some sort of physical second factor every time. We give our users the option to never store a cookie and to always require an out-of-band activation step.
We’re working on some partnerships to layer in additional second factors (think hardware tokens), and one of the more interesting characteristic of our system is that our what-you-know factor (the grid) can subsidize or even completely pay for a conventional what-you-have factor. (See Luke Sontag’s post at http://blog.vidoop.com/archives/33 for more details.)
The bottom line for us is that every single user gets fine-grained control over the tradeoffs between usability and security, and no matter where they set the line, the mechanism requires more difficult attacks, and yields less than the 100% success rate that a stolen password provides.
I addressed most of the other points that you make on my blog the other month. You should take a look there, and please don’t hesitate to get in touch if you have any other questions.
http://scott.blomqui.st/2007/1.....ut-vidoop/
Scott Blomquist
CTO, Vidoop
I don’t get it.
I am trying to crack into somebody’s Vidoo-protected account - here is the grid: a car, a bird, a skyscraper, a cat, a boat… I am trying to guess the right images - is it a skyscraper and a cat? No, i am wrong. lets give it another try - the new grid is: a woman, a car, a bottle, a plane, a boat… you get the idea! Some of the right images have to be in every attempt to log in!
There is a grid of 12 images. You can choose up to 5 categories. How long time is it going to take to guess the right categories? There are right images in every grid - how many grids do I need to figure the right categories out?
Maybe I am missing something but it seems to me it cannot take more than one hour to get into any account. What am I missing?
@Jan, that’s also addressed in the FAQ.
The short answer is that the entire bundle of categories for a given user are the same each time a grid loads.
Search for the word ‘bundle’ on my FAQ: http://scott.blomqui.st/2007/1.....ut-vidoop/
@Scott Blomquist:
First off, my ATM card does not unlock all my online accounts. If it is clone and my PIN stolen, the damage is limited to just one account, and there is an avenue for recourse.
Second, an ATM PIN is 13 bits compared to Vidoop’s 7-8 bits. So, congratulations. Your scheme is 1/32nd as strong as 30-year old ATM technology.
My biggest beef is the disingenuous “hacker proof” claims your company has been making. It is clearly susceptible to malware, just like any other password manager. It’s also vulnerable to phishing and man-in-the-middle attacks.
You claim that the grid mechanism requires “more difficult attacks”. This is an extremely naive view. There are off-the-shelf components that can automate attacks against Vidoop today. These have been successfully used in practice against financial institutions using on-screen keyboards. Once there is any financial incentive, “more difficult” becomes “0-day exploit by a Russian 12-year old”.
Out-of-band SMS one-time authentication tokens are a valid idea. Unfortunately, no users will ever opt to receive an SMS message every time they want to access any of their passwords.
@garbage:
Compared to a traditional password the security characteristics of the image grid drop the likely hood of being compromised by simple means to less than 100%. A level of security is gained.
The bigger picture has to do with economics. In the security world, we all understand the strength of smart cards, tokens, SMS OTP, etc… The problem has always been cost and scalability. We intend to knock down the barriers that keep stronger authentication out of the hands of the general public. One element of doing that is making stronger authentication a standard part of one’s web experience. With the economic characteristics of the grid (used as a what-you-know security factor) we are certain we can destroy those barriers and deliver stronger authentication to everyone at no cost.
In the short term, what would you do to improve internet security?
Luke Sontag
Co-Founder, Vidoop
@Garbage,
No one ever said anything about hacker proof. I’ve never heard of a failure-proof security system that doesn’t involve titanium, laser beams, and high-budget actors. You’re still not getting my point about keeping in mind what you’re comparing against.
We provide improvements over the usernames and passwords that you use everywhere today.
We provide improvements over the password managers that are built in to web browsers today. (For example, you can have myVidoop email or SMS you with an alert any time something unusual happens on your account, or you can remotely disable access to your stored passwords in case you accidentally left yourself logged in at an internet cafe.)
Finally, and perhaps most significantly, we’re helping to improve the overall state of Internet security by providing a sustainable economic means to get strong authentication into the hands of each and every user.
In security, there’s always more work to do, and we’re always on the lookout for ways to get stronger security in the hands of even more people. If, during your research, you come across any practical ways for us to improve, please let us know.
This reads like it was written by the company’s PR flack, with no attempt to even consider whether it adds up in the smallest way. I just don’t think there is any way on gods green earth that people want all this nonsense cluttering up their logins. We’ve all learned how to handle passwords. Giving some incredibly low number revenue earning for the site owner just isn’t going to make it fly. Just. Isn’t. Are we that desparate?
Impressive! it’s not about the Technology, but the community is going for using standards. OpenID is a promising Standard - why promising? because Big Players (Google, yahoo, etc) is not using it so far … and yes, they should be supporting such standards.
waiting to hear the Good News!
I don’t like to comment on TC but the thread here is interesting. The point is that Vidoop and Microsoft with inkblots are looking at a possible visual methods of first level identity. i.e basic authentication - one over complicated in the case of microsoft reasearch the other simplistic in the case of Vidoop.
Even if I pass this level of security it still doesn’t bestow authorisation which should be a secondary level of security confirmation and finally access being a third.
For example I can use my openid identity to state an authentication claim that I am samksethi to a website and request authorisation to a particular service.
With Openid 2 there are a number of attribute challenges (SREG, AX) that can be made i.e I have to respond to name, date of birth, mothers maiden name etc. “One” of those by the way could be a visual prompt.
If I am correctly identified then I would like to see a http://www.microid.org produced as my unique key from my opeid broker and returned to the site I wish to enter.
This would then confirm my authorisation and finally access is then upto the site I have accessed i.e what level of access am I an admin or just a subscriber
I personally like the work that Chris Messina is doing with OpenID and hCards as well as Steve Ivy on trustlists via xfn. http://redmonk.net/more_monkinetic/xfn-blogroll/
Distributed Open Identity is a difficult balance between simple ease of use and complex security. Vidoop are trying one method, Sxips uses others as does JanRain. Then of course we have Microsoft with CardSpace and information cards.
@Luke:
In the short term, what would I do to improve internet security?
Discourage people from using a service where a single XSS or XSRF attack will compromise a significant fraction of users.
Here’s how it could go down:
1. User’s Vidoop cookie is stolen from their browser. Say, through an XSS attack on MyVidoop.com or a browser bug.
2. Attacker now has the cookie and has three attempts to guess the users’ 7 to 9-bit password. 1-2% of users would be compromised just by guessing. BAM. 1% of your users just had their bank account emptied.
3. If the attacker fails in step 2, they can snag the user’s cookie again when they reauthorize. Rinse. Lather. Repeat.
That is significantly worse than the status quo, because users have to put all their trust in Vidoop’s site to be vulnerability-free.
Contrast that with plain ol’ passwords. I only need to trust my own machine. If it’s compromised with a keylogger, then I’m screwed regardless. But at least I don’t need to trust that some start-up is XSS-free.
@garbage: how do you know if a user has 3 or 4 or 5 secret categories? or whether or not the categories are sequenced or non-sequenced? have you tried this service before you commented?