There have been some good blog conversations lately about myVidoop.com and Vidoop Secure (over at Judi Sohn’s Web Worker Daily review of myVidoop, or Carleen Hawn’s write-up over at GigaOM for example).
There are several really good questions that get asked often. I figured I’d collect them all here so that I have one place that I can point people toward the next time I encounter similar questions.
What’s the difference between Vidoop, Vidoop Secure, and myVidoop.com?
Vidoop is a Tulsa,-OK-based technology company. (We call Oklahoma the Silicon Prairie. I hear that other people call where they’re from the Silicon Prairie, too. But I think ours is the real one.)
Vidoop Secure is our authentication technology (which is available to license as an easy-to-use, low-cost, authentication technology and can be configured to provide strong two-factor security and can even completely replace passwords).
myVidoop.com is our free consumer Identity service that allows you to test-drive the Vidoop Secure technology and manage your usernames and passwords for the entire internet.
How does Vidoop Secure work?
The core of the Vidoop Secure authentication mechanism is a grid of images where each image is chosen to represent a particular category (for example, “cats” or “telephones” or “food”). When a user signs up for an account, instead of choosing a secret password, he chooses a set of 3-5 secret categories (let’s use “cars”, “boats”, and “flowers”).
When it’s time to sign back in, the user is presented with random set of images, placed randomly in the grid, each with a random character superimposed on the image. In order to log in, the user types the set of characters corresponding to his set of secret categories. So for example, if I find a picture of a sports car with a Q on it, a picture of a sailboat with a K on it, and a picture of some roses with an B on it. My access code for this attempt might be “QBW”, or “BQW”, or WQB”.
(NOTE: It’s optionally possible to require the categories to always be entered in the same order to make a set of secret categories harder to guess. If you’re a myVidoop.com user, you’ll find the setting on the Accounts/Image Categories tab. If you have licensed the Vidoop Secure technology, you can require the setting for any subset of your users, or allow them each to choose for themselves.)
Because the images representing a user’s secret categories move around each time, and because the specific set of images displayed changes every time, it requires human-level cognition to decipher a given user’s grid into his access code. For example on a subsequent login attempt I might see, instead of the above example, a picture of a minivan with a Z on it, a picture of a cruise ship with an O on it, and a picture of a tulip with an L on it. This time, my access code would be “ZOL” or “LOZ” or “OLZ”.
If it’s based on images, how can it be accessible to those with vision impairments?
An art museum can be accessible even if its paintings are not.
Web sites will have to use a non-visual approach to authenticating users who are visually impaired–this doesn’t mean that sighted users should not benefit from the added security provided by visual authentication techniques.
The approach for authenticating visually impaired users that ships as part of the Vidoop Secure SDK is to deliver an activation PIN using a voice phone call (which you can try out on myVidoop.com) in combination with a conventional text-based shared secret. This still provides inexpensive two-factor authentication without requiring the use of additional hardware.
Isn’t this whole secret categories thing a lot like a 3 character password? Isn’t that pretty weak security?
Like a 3 character password, it only requires typing 3 keys on the keyboard. Unlike a 3 character password, even if malicious software records the 3 characters that you type, the information that it provides to an attacker is not directly reusable in the future. A large amount of additional work is required for an attacker to turn the output of a keylogger into data that will be useful on future logins.
Let’s take a quick look at another highly secure system that you probably use every day. All of the money in your bank account is protected by a little plastic card that your waiter could clone without your knowledge while he has it in the back of a restaurant, and a little 4-digit number that you’ve probably kept the same since your very first ATM card.
You don’t lose sleep scared of the waiter because he doesn’t know your PIN, and you’re not terribly worried about someone watching over your shoulder at the ATM because that person doesn’t have your card.
In the case of an ATM card and PIN, two separate (and independently weak) mechanisms are employed together to comprise a very secure security system–one that all of us trust to protect access to our money. Security folks call these two pieces “what you have” (your card), and “what you know” (your PIN). A security system that makes use of both “what you have” and “what you know” is called “two-factor”.
Much like your ATM card and PIN, Vidoop Secure makes use of two-factor security. You don’t get to even see the grid of images that I described above unless you’re accessing the site from a web browser that you have activated using a “what you have” factor. Today, myVidoop.com allows you to activate your web browser using a 6-digit code that you received using your choice of second factor ranging from an email address to SMS messages to your cell phone to a voice call to your home or work phone.
Many users today simply choose to use the email option. While this is not as secure as requiring the use of a phone because the email account probably uses a conventional username and password, layering this with the Vidoop Secure image grid makes the entire experience more secure than username/password alone.
For added security, many other users choose to only allow the activation of their account via one of their phones. This means that physical access to their phone is required in order to log in to their account.
I only allow the use of my cell phone to log in to my account. Such a practice is even stronger than an ATM card because my phone is nearly impossible for my waiter to clone while paying for dinner, and I’ll notice it missing a lot faster since I use it more often.
In a licensed Vidoop Secure environment, the administrator can choose which subset of these options are strong enough to protect their users’ accounts.
But isn’t that harder to use?
We’ve spent a lot of time designing, testing, and refining our system to make it very easy to use.
Users have the ability to decide whether to allow a browser activation to only last for one session, or for it to be remembered for future use on the same computer. Computers can be deactivated from anywhere in case one of yours is lost or stolen. We can send you either email or an SMS message if certain events occur on your account that might signify an attack.
We have extensive help pages that should answer most of your questions about how to use myVidoop.
But the bottom line is that myVidoop.com seeks to provide the last set of authentication credentials you will ever need by managing the usernames and passwords for your other sites as well as providing a best-in-breed OpenID for you to use on any web sites that accept OpenID.
How much does it cost?
myVidoop.com is completely free for you to use. We pay to operate the site (including the extra security features such as phone and SMS) using advertising revenue from sponsored images in the authentication grid.
Does it work on mobile devices?
It certainly won’t work on all mobile devices (you should see some of the ancient cell phones some of our developers carry–it’s kinda sad, but I digress), but we’ve built prototypes that display the grid for .NET Compact Framework and J2ME devices, and we’ll be shipping iPhone support on myVidoop.com very soon.
If you think you have a killer mobile scenario for Vidoop Secure, take a look at http://www.vidoop.com/products.php?topic=mobile, and then get in touch with us.
Looking at a grid, I can’t tell what all the categories are. Don’t you usability test your images?
Keep in mind that a legitimate Vidoop Secure user and a hacker have two very different tasks while looking at the grid.
A hacker has to answer “what category does this yellowish-sphere-with-a-ring-around-it represent?” We don’t spend any effort to make sure our images work well in this direction.
Legitimate Vidoop Secure users, on the other hand, have to answer “which image is an example of an object in space?” (It’s that yellowish sphere from before (the planet Saturn), only now it’s more clear because I know more about what I’m looking for.) We extensively test our images to make sure they work in this direction.
We’re working to make the hacker version of the question even harder. By using images that represent more than one category, a hacker has a bigger identification problem to solve (and one that doesn’t have a unique solution).
Why do I have to type anything in? Why can’t I simply click on the images for my categories?
There are two big reasons for this: 1) security and 2) compatibility with our advertising features.
From a security point of view, if an hacker tries to use simple software to attack the image grid, he has many more possible choices if he has to guess from every letter in the alphabet, rather than simply mimicking a click within one of 12 or 16 images in the grid.
For our advertising features, allowing a user to click through an image for more details or for a special dinner coupon from the “food” category is an important part of how we keep our site free for our users. It would be difficult to distinguish clicks for authentication from clicks indicating user interest.
Can’t I just load a user’s image grid a few times and learn what his categories are by watching which categories stay the same and eliminating those that change each time?
No. Although we’ve seen some of our antagonists go so far as to claim that they “broke [their] own password in three [grid loads]“, they were completely making that up. We employ a technique that we call “category bundling” to create a semi-permanent set of image categories that we will show to a given user until the next time he changes his secret categories.
The extra categories can be chosen at random, or can be hand-selected by each user.
By always showing the same set of categories to any given user, an attacker cannot use process of elimination to learn anything about which categories participate in a user’s set of secret categories and those that are simply used to fill out the grid.
When you combine this category bundling technique with the fact that an attacker won’t see a user’s grid unless he’s hacking from a browser that the victim has activated, Vidoop Secure’s layered approach to security is very strong.
If you’re worried about a keylogger, why aren’t you worried about a combination keylogger/screen capture utility?
In a nutshell, we significantly increase the effort to which an attacker must go as follows:
Conventional username and password:
- Use keylogging software to steal a user’s username and password.
- Use the stolen username and password any time in the future from any machine to access the compromised account.
- Use keylogging software to steal a user’s username.
- Steal a user’s access code.
- Steal screenshots of the user’s grid that correspond to the access code.
- Steal a user’s browser activation cookie, assuming they even have one… that’s not tied to specific IP addresses.
- Apply custom OCR software to automate recognizing the characters on the images.
- Find the images that correspond to the user’s access code.
- Load the complete catalog of the Vidoop Secure image corpus that you finished building and hand-categorizing recently. (If it’s not recent, there’s a good chance that the images have changed out from under you–we turn it over periodically.)
- Using computer vision software, match the images that the user chose to your fully categorized image catalog.
- Now you have a guess at a user’s categories, but there may still be some uncertainty if any of the images could be in more than one category.
- You have 3 guesses before the server decides to disavow knowledge of the activation cookie that you stole in step 4. Or you can try repeating steps 1-3 a few more times in order to get enough data that you no longer have to guess.
While it is theoretically possible to fully automate the theft of a user’s Vidoop Secure credentials, the difficulty is significantly higher. There are opportunities for factors such as IP address or time passing to affect an attacker’s ability to complete the attack, there is significantly more data that has to be collected, and there is human involvement required.
Because of all of these factors, and many more, we expect that for the foreseeable future the majority of hacking targets will continue to be conventional usernames and passwords.
I have another question that you didn’t answer here.
By all means, send us any other questions you have! I expect to follow up some other time with answers to even more of your questions.