MyVidoop Tries to be Everything You Need for Login Security
October 1st, 2007 (6:00am) Judi Sohn 15 Comments
It’s not a new problem. With all the “Web 2.0″ websites come more and more usernames and passwords to remember and catalog. We’ve been trying to figure out a way of managing all that data, securely, for a while now. OpenID has been embraced by many as the answer. Take a website you trust and that knows you (even your own), and have it broker your connection with other sites. The catch: That’s fine for sites that take OpenID logins, but most don’t.
There are desktop software solutions like Roboform (PC) or 1Passwd (Mac), but they won’t help you when you’re away from your main computer, and they don’t stop hackers and other evil-doers from stealing your password when it’s transmitted to the site.
Vidoop has come up with an interesting, multi-layered approach to both the juggling password problem and the evil-doer problem with a solution that uses visual cues instead of passwords. They’ve taken their technology and now offer it in a free, soup-to-nuts consumer package they call MyVidoop.
Let’s take a look.
First of all, MyVidoop is an OpenID provider. Sign up for a MyVidoop username and your OpenID username is http://username.myvidoop.com. For sites that take OpenID logins, you’re all set.
Still don’t get OpenID? Then watch this entertaining video the Vidoop folks put together that explains conceptually how it all works:
Once you’ve trusted sites, you can manage them easily from your MyVidoop page.
For sites that don’t support OpenID, MyVidoop offers a Firefox plugin (IE support promised, no word on Safari yet) that lets you store your passwords either on MyVidoop’s servers or in an encrypted file on your computer. The plugin, when activated, will offer to auto-fill the site login fields when you visit the page again.
This feature works best if you have a single login per site. If you have multiple identities, you’ll have to visit your MyVidoop page and click the URL in the saved site list to login with that unique username/password. If you’re not using Firefox, or you don’t have the plugin installed, you have to copy/paste your login information. Otherwise, it works similar to the 3rd party desktop applications or even the auto-fill built in to the browser, but if you store your passwords on MyVidoop’s servers you can also get to them from any computer. I’ve asked the company specifics on how they keep those stored passwords secure and backed up, since their technology primarily focuses on the login process. Until you know this is a company you can trust, you may be better off sticking with the local saving option.
Keep in mind that when MyVidoop stores the encrypted file locally it’s only accessible from that one browser. A much needed feature is the ability to decrypt that local file outside of the MyVidoop site. So your locally stored file from Firefox is not available when you login from Safari, and visa versa. Same if you jump between Firefox and IE on a PC. You can save an encrypted file and reopen it from within MyVidoop, but that requires maintaining multiple local copies of the same data. Awkward.
If your life is a mix of sites that do and do not support OpenID, MyVidoop is one-stop-shopping to manage it all in one interface.
So, you say, couldn’t someone just get your username/password for MyVidoop and cause mayhem and destruction on your life? Not so fast. That’s where MyVidoop gets interesting.
Logging in to MyVidoop uses Vidoop Secure. What’s so special about Vidoop Secure? I’ll tell you. When you register, instead of picking a password you pick 3 visual categories that you keep secret. Like Bank of America’s sitekey, people tend to remember pictures better than they remember words or phrases. The registration process walks you through:
Once you’re registered and good to go, when you login to MyVidoop your password is entered by picking the letters next to the 3 visual categories you picked.
The pictures change each time, so if “flowers” is your category you won’t necessarily see the same flora the next time. The position of your categories change on the grid, as does the categories in the 9 boxes that aren’t your choice. Even if someone records that you typed “bxr” this time, it won’t matter because that won’t be the accepted code the next time you log in. This stops phishing, since the fake site has to know to include your 3 categories. If you don’t see all 3 of your categories in the grid, you know something is wrong. A CAPTCHA wants to make sure you’re a human being. Vidoop wants to make sure you’re you.
But what if evil-doers start guessing at your categories? They have to get that far. If you are not using a browser on a computer that you’ve previously registered in MyVidoop, the software will first verify you via a one-time activation code in some out-of-browser way. You can have the software call you on the pre-arranged voice phone (it’s a recorded message), text message or registered email address. Your choice, depending on where you are. Whichever method you choose, you must enter the code in the window to proceed. Once successful, you have the option of having MyVidoop remember that location. Then and only then are you presented with the visual grid for login.
The company teases a mobile solution on their site, but there doesn’t appear to be any real-world examples.
Vidoop is looking to be profitable through a number of avenues. First, companies can license the Vidoop security solution for their own sites. They are also offering sponsorship opportunities on the visual images. That’s not just any pizza in the food category image…that’s Mazzio’s Pizza. Roll over the image for an ad. However, if the only site that has this login technology is MyVidoop and it doesn’t build a user base quickly, that may not go far.
The Bottom Line:
Vidoop/MyVidoop shows some promise towards consolidating the mess of usernames and passwords we have to remember in a very safe and secure manner. It’s not perfect yet. Sometimes it can be difficult to make out whether or not the picture is in your category (I’d avoid “toys” and “telephones” as category choices for that reason…I had trouble with those). The plugin can be a bit temperamental, and it will only autofill one ID per site, although you can save multiple IDs if you choose to fill them from within MyVidoop.
If you’re worried about someone snooping on you when you enter your passwords, or you like the idea of managing OpenID trusted sites in the same interface as you save your other usernames and passwords, then MyVidoop is definitely worth considering. Otherwise, it may be more trouble than it’s worth, especially for a startup. I’d especially urge caution until MyVidoop allows its password file to be decrypted outside of MyVidoop.
15 Comments Post your own comment
vincent404 says: October 1st, 2007 6:30am
Wish I knew of this BEFORE I signed up with Myopenid. If anyone knows of a way to port one OpenId to another provider, let me know.
FirefoxUser says: October 1st, 2007 12:23pm
There are many good Firefox add-ons for password management – and they work on Windows, Mac and Linux! One of them (iMacros) can even use social bookmarking services to store the passwords, so you can access them from every PC that has Firefox installed.
http://del.icio.us/imacros/imacro
Isaac Rabinovitch says: October 1st, 2007 12:55pm
Roboform certainly can. You can get PDA apps (PalmOS and Windows CE) that store copies of all your logins.
Carsten Pötter says: October 1st, 2007 1:26pm
I haven’t tried MyVidoop yet, though it seems to have similar features (OpenID/password management) as Sxipper. BTW, there are two really good online password management services which should be interesting to people who don’t need an OpenID provider or who have one already: PassPack and Clipperz.
@Vincent404: Currently there is no way to port OpenID’s from one provider to another. Though if you have a blog or website you should consider delegation which means that your blog’s URL works as an OpenID while delegating the authentication process to an OpenID provider. This way you can always change the provider while using the same URL as an OpenID: your blog’s URL.
Some relying parties (=websites that let you log in with OpenID) let you associate multiple OpenID’s with your account. So it’s possible to use different OpenID’s for login.
Anyway don’ worry, MyOpenID is one of the best providers out there, IMHO.
tyler says: October 1st, 2007 6:58pm
rymes with poop?!
Scott Blomquist’s Online Identity, 2.0 » Blog Archive » Every week should be like this one! says: October 4th, 2007 8:53pm
[...] We’ve had a few good write-ups this week. Especially an article in Financial Week and a review of myVidoop in Web Worker Daily. [...]
George Louthan says: October 5th, 2007 11:20am
Thanks for the write-up! And, speaking as the person attached to the hand in that video, I always get a kick out of seeing that around.
One thing that I’d like to add is that, though only one username will autofill, changing it to a different saved account is just a matter of clicking the “username” field and selecting the one you want to use, if that makes sense.
Again, all this attention we’re getting is so exciting, and I want to thank everyone for being interested.
links for 2007-10-06 « Zero influence says: October 5th, 2007 5:38pm
[...] MyVidoop Tries to be Everything You Need for Login Security « Web Worker Daily Short review on Vidoop. I so love this platform. (tags: login authentication advertising transaction SSO Token) [...]
Judi Sohn says: October 7th, 2007 3:51am
Thanks, George. I don’t know why I didn’t notice that before.
I’m still enjoying MyVidoop, but one thing about the Firefox plugin is driving me crazy: The timeout is way too short. I can be reading a long article or writing an email, and MyVidoop will log me out. I understand that it can only monitor browser activity, so if I’m working in email or Word the plugin thinks I’ve left the computer. But the time has to be longer than it is.
S.W. says: October 8th, 2007 1:19pm
This login scheme can be defeated by an illiterate person clicking reload a few times. All they need to do is keep track of which image categories are consistently displayed. I broke my own password in 3 reloads.
This can be automated by scraping and classifying Vidoop’s image library.
Judi Sohn says: October 8th, 2007 3:14pm
@S.W. Perhaps, but you have to be sitting at a computer that MyVidoop has already authorized.
S.W. says: October 9th, 2007 12:48am
@Judi
On an authorized computer, the login system is worthless and can be defeated by anyone in seconds. So, the whole hype about their image grid is complete bunk. They’re better off using a plain old password.
The entire security of the system relies on the “software token” (a.k.a. a cookie). Since this token is sitting on a drive and written by a user process, it’s vulnerable to being stolen malware. It’s disingenuous for them to be touting this as a protection against keyloggers when it’s just as easy for malware to grab the activation data.
Wondering says: October 9th, 2007 1:46pm
S.W.
You need to go back to school. How exactly does a password (no matter how complex) combat simple keystroke logging? automation? guessing?
-WONDERING what kind of security related authority you have especially since you sound like you are just hating.
Scott Blomquist » Blog Archive » The hard FAQs about Vidoop says: October 9th, 2007 10:36pm
[...] have been some good blog conversations lately about myVidoop.com and Vidoop Secure (over at Judi Sohn’s Web Worker Daily review of myVidoop, or Carleen Hawn’s write-up over at GigaOM for [...]
Jason the Content Librarian » Blog Archive » Exploring OpenID and identity 2.0 resources says: October 10th, 2007 2:15pm
[...] a concept called OpenID. But I had never taken any concrete steps to learn more. But last week Web Worker Daily had a post about a very interesting new OpenID service, called Vidoop. Vidoop is an OpenID provider, so when [...]