Vidoop

Infobox_Company
company_name = Vidoop LLC
company_type = Private
company_slogan = "Securing a World of Information"
foundation = 2006
location_city = Portland, OR
location_country = USA
num_employees = 26
industry = Computer Security
products = Vidoop Secure, myVidoop.com
homepage = [http://www.vidoop.com/ www.vidoop.com]

Vidoop LLC is a privately-held company based in Portland, Oregon [cite web | title = Vidoop leaving Tulsa | publisher = Tulsa World | url = http://www.tulsaworld.com/business/article.aspx?articleID=20080903_5__Tulsa56332] . Its flagship product is Vidoop Secure, a login solution designed to function without traditional passwords, which Vidoop claims is resistant to brute force, keystroke logging, phishing, and some man-in-the-middle attacks. [cite web | title = Vidoop.com: Vidoop Secure Resistance to Attack | publisher = Vidoop LLC | url = http://www.vidoop.com/products.php?topic=resistance | accessdate = 2008-01-29 ]

Founding and Launch

Vidoop was founded in 2005 in Tulsa, Oklahoma. As of March 2006 it had 4 employees and would initially reveal only that it was developing a novel login solution that hides an access code in plain sight. After over a year of secretive development and testing, the company launched its product, Vidoop Secure, at the Web 2.0 Expo in San Francisco, California on 2007-04-17. Luke Sontag, a co-founder, gave a presentation at the expo demonstrating the technology and further announced that an unnamed Fortune 500 company would be replacing its login system with Vidoop by July 2007. [Citation |last = Evatt | first = Robert | title = Access Granted | newspaper = Tulsa World | pages = E1 | year = 2007 | date= 2007-04-18 | url = http://www.tulsaworld.com/business/article.aspx?articleID=070418_238_E1_hTuls34656]

Products

Vidoop's core technology is the Vidoop Dynamic Image Grid, a login tool that powers Vidoop Secure and thus [http://www.myVidoop.com/ myVidoop.com] . The company also sells advertising space, allowing a company to place its products as images in the grid. There are currently two multi-national advertisers: Smart USA (a division of Daimler) and ConocoPhillips (Phillips66, Conoco, and 76 brand gas stations). One regional advertiser: Mazzio's. And one local advertiser: Jackie Cooper Imports (A local Tulsa, OK auto dealer). [cite web | title = Vidoop.com: Sponsors | publisher = Vidoop LLC | url = http://www.vidoop.com/sponsor.php | accessdate = 2007-05-15 ]

Vidoop Secure

Vidoop Secure is a user login technology based on categorized images. When a user enrolls in a system implementing the technology, he chooses from several categories of images (such as airplanes, cars, or keys). [cite press release | title = Goodbye Passwords. Vidoop Debuts New Authentication Technology at Web 2.0 Expo | author = Vidoop LLC | publisher = Forbes Business Wire | date = 2007-04-07 | url = http://www.forbes.com/businesswire/feeds/businesswire/2007/04/17/businesswire20070417005915r1.html| accessdate = 2007-05-15] Furthermore, the user's computer is "activated" with a cookie, which is only provided upon the user's confirmation of a code transmitted either by email or by phone via voice or text message. At the time of login, if the cookie is found, a grid of images is displayed that includes pictures belonging to the user's chosen categories. The user selects these images by typing the randomized letter associated with each of his images, forming his access code. [cite video | title = How It Works | medium = Flash | publisher = Vidoop LLC | url = http://www.vidoop.com/vidoop_how.php]

myVidoop.com

[http://myVidoop.com/ myVidoop.com] is an OpenID provider run by Vidoop and powered by Vidoop Secure. As an OpenID provider, myVidoop.com is part of the movement that aims to provide a decentralized framework for a web single sign-on.

Criticisms

Vidoop has met with criticism regarding the claims of their technology's resistance to hacking. For example, researchers at CommerceNet have described a possible attack, [cite web | last = Dhamija | first = Rachna | title = Attacks on Vidoop Authentication | work = The New Economy | publisher = CommerceNet | date= 2007-05-07 | url = http://blog.commerce.net/?p=271 | format = Blog | accessdate = 2007-05-15 ] and also published a [http://s3.amazonaws.com/vidupe/vidupe.mov video] of a man-in-the-middle attack executed against myVidoop.com, both on the CommerceNet weblog.

Additionally, questions have been raised about the accessibility of Vidoop Secure to those with visual impairments. [cite web | title = Vidoop: Hack Proof Log In? | publisher = Soxiam Wiki | date= 2007-05-09 | format = Blog | url = http://www.soxiam.com/Notes/VidoopHackProofLogIn | accessdate = 2007-05-15 ] [cite web | title = Vidoop | publisher = ha.ckers | date= 2007-04-18 | format = Blog | url = http://ha.ckers.org/blog/20070418/vidoop/ | accessdate = 2007-05-15 ]

Vidoop's authentication scheme essentially consists of a very short secret and a "pre-authorization" cookie. A users' shared secret is a set of 3-5 categories out of a possible 12, which is only 8-10 bits of entropy. Vidoop allows users to enter in their categories in at least two possible orders, reducing the effective secret by a bit. An attacker in possession of the pre-authorization cookie could guess 1-2% of passwords in the three given trials.

References

See also

*CAPTCHA
*Two-factor authentication
*OpenID

External links

* [http://www.vidoop.com/ Vidoop LLC website]
* [http://www.myVidoop.com/ myVidoop.com]
* [http://s3.amazonaws.com/vidupe/vidupe.mov Video of a MITM attack against myVidoop.com]