MyVidoop not strong enough
Wednesday, April 18, 2007 at 08:08AM 
Vidoop’s image grid
Vidoop beta-released their OpenID provider at the Web 2.0 expo.
Vidoop authenticates using pictures: At signup, you select a few general categories and when you login, you’ll need to remember which. For example (see pic), if your categories are flowers, insects, and locks, you’d enter any combination of GCN.
This definitely looks cool, sort of a spiced-up version of Entrust’s IdentityGuard.
Vidoop makes a few statements:
“Vidoop secures your username against the prevalent forms of hacking including keystroke logging, phishing, password guessing, and many Internet spying schemes.”
Let’s see how they work out.
Keystroke logging is still possible since you have to type your password. Not sure what vidoop means here. Now, if you could (or had to) click on the pics to enter your password, then, perhaps.
Phishing is still possible. The fact that the IDP pops up pictures and you enter associated letters doesn’t change anything. A phisher has only to learn one sequence, so, in effect, this vidoop scheme distills into a single-password scheme.
Password guessing is still possible. In fact, since a user is likely to choose a small amount of categories, and since the entire set of passwords is valid (in our example above, NCG, CNG, etc., are all valid sequences), the strength of the system is significantly weakened. It’s the same as if your bank ATM PIN could be entered in any sequence.
Internet spying schemes? Sounds very vague. What exactly are those and what does vidoop protect against?
Moreover, Vidoop doesn’t seem to force the use of SSL protected links. You can remove the ‘s’ from ‘https’ and keep going. This is likely a mistake, but it opens the door for MITM attacks.
In all, Vidoop is a promising start for a security-first minded attempt, but some of the claims should be toned down.
Reader Comments (1)
Thank you for blogging about Vidoop's authentication solutions. In response to your comments:
1. Keystroke logging is not possible because the codes that appear on the grid will change everytime the grid loads. For example: Boats, Planes, and Mountains are A, B, C this time, and could be X,Y,Z the next time.
2. Phishing is not possible because the hackers would have to be able to somehow generate an out of band request to the user (on an unactivated computer) and the image grid as well. They would need to be able to have the secret categories of the targeted users displayed on the grid.
3. I assume you meant categories guessing when you said password guessing, and on a 3x4 grid, 3 secret categories, and order doesnt matter, it is 1/72 chance of the categories to be guessed. If you change that to where order matters, the chance becomes about 1/500. There is also a lockout after 3 failed attempts.
Vidoop is not claiming to be the perfect solution to internet security. Vidoop does, however, provide a more secure authentication technology for internet users against today's most prevalent forms of hacking.
If you have any more feedbacks or questions, please feel free to email me.