| Computer Security|
Luke Sontag, Joel Norvell
| Vidoop Secure, myVidoop.com|
Portland, Oregon, United States
2006, Tulsa, Oklahoma, United States
Vidoop LLC was a privately held company based in Portland, Oregon. Its flagship product was Vidoop Secure, a login solution designed to function without traditional passwords, which Vidoop claimed was resistant to brute force, keystroke logging, phishing, and some man-in-the-middle attacks. On 30 May 2009, Vidoop announced that it was going out of business.
Vidoop was founded in 2006 in Tulsa, Oklahoma. As of March 2006 it had 4 employees and would initially reveal only that it was developing a novel login solution that hides an access code in plain sight. After over a year of secretive development and testing, the company launched its product, Vidoop Secure, at the Web 2.0 Expo in San Francisco, California on 2007-04-17. Luke Sontag, a co-founder, gave a presentation at the expo demonstrating the technology and further announced that an unnamed Fortune 500 company would be replacing its login system with Vidoop by July 2007.
Vidoop's core technology is the Vidoop Dynamic Image Grid, a login tool that powers Vidoop Secure and thus myVidoop.com. The company also sells advertising space, allowing a company to place its products as images in the grid. There are currently two multi-national advertisers: Smart USA (a division of Daimler) and ConocoPhillips (Phillips66, Conoco, and 76 brand gas stations). One regional advertiser: Mazzio's. And one local advertiser: Jackie Cooper Imports (A local Tulsa, OK auto dealer).
Vidoop Secure is a user login technology based on categorized images. When a user enrolls in a system implementing the technology, he chooses from several categories of images (such as airplanes, cars, or keys). Furthermore, the user's computer is "activated" with a cookie, which is only provided upon the user's confirmation of a code transmitted either by email or by phone via voice or text message. At the time of login, if the cookie is found, a grid of images is displayed that includes pictures belonging to the user's chosen categories. The user selects these images by typing the randomized letter associated with each of his images, forming his access code.
myVidoop.com is an OpenID provider run by Vidoop and powered by Vidoop Secure. As an OpenID provider, myVidoop.com is part of the movement that aims to provide a decentralized framework for a web single sign-on.
Vidoop has met with criticism regarding the claims of their technology's resistance to hacking. For example, researchers at CommerceNet have described a possible attack, and also published a video of a man-in-the-middle attack executed against myVidoop.com, both on the CommerceNet weblog.
Additionally, questions have been raised about the accessibility of Vidoop Secure to those with visual impairments.
Vidoop's authentication scheme essentially consists of a very short secret and a "pre-authorization" cookie. A users' shared secret is a set of 3-5 categories out of a possible 12, which is only 8-10 bits of entropy. Vidoop allows users to enter in their categories in at least two possible orders, reducing the effective secret by a bit. An attacker in possession of the pre-authorization cookie could guess 1-2% of passwords in the three given trials.