Vidoop

Vidoop LLC
Company type	Private
Industry	Computer Security
Founded	2006
Defunct	2009
Fate	Dissolved
Headquarters	Portland, OR, USA
Products	Vidoop Secure, myVidoop.com
Number of employees	26
Website	www.vidoop.com

Vidoop LLC was a privately held company based in Portland, Oregon.^[1] Its flagship product was Vidoop Secure, a login solution designed to function without traditional passwords, which Vidoop claimed was resistant to brute force, keystroke logging, phishing, and some man-in-the-middle attacks.^[2] On 30 May 2009, Vidoop announced that it was going out of business.^[3]

Founding and Launch[edit]

Vidoop was founded in 2006 in Tulsa, Oklahoma. As of March 2006 it had 4 employees and would initially reveal only that it was developing a novel login solution that hides an access code in plain sight. After over a year of secretive development and testing, the company launched its product, Vidoop Secure, at the Web 2.0 Expo in San Francisco, California on 2007-04-17. Luke Sontag, a co-founder, gave a presentation at the expo demonstrating the technology and further announced that an unnamed Fortune 500 company would be replacing its login system with Vidoop by July 2007. ^[4]

Products[edit]

Vidoop's core technology is the Vidoop Dynamic Image Grid, a login tool that powers Vidoop Secure and thus myVidoop.com. The company also sells advertising space, allowing a company to place its products as images in the grid. There are currently two multi-national advertisers: Smart USA (a division of Daimler) and ConocoPhillips (Phillips66, Conoco, and 76 brand gas stations). One regional advertiser: Mazzio's. And one local advertiser: Jackie Cooper Imports (A local Tulsa, OK auto dealer).^[5]

Vidoop Secure[edit]

Vidoop Secure is a user login technology based on categorized images. When a user enrolls in a system implementing the technology, he chooses from several categories of images (such as airplanes, cars, or keys).^[6] Furthermore, the user's computer is "activated" with a cookie, which is only provided upon the user's confirmation of a code transmitted either by email or by phone via voice or text message. At the time of login, if the cookie is found, a grid of images is displayed that includes pictures belonging to the user's chosen categories. The user selects these images by typing the randomized letter associated with each of his images, forming his access code.^[7]

myVidoop.com[edit]

myVidoop.com is an OpenID provider run by Vidoop and powered by Vidoop Secure. As an OpenID provider, myVidoop.com is part of the movement that aims to provide a decentralized framework for a web single sign-on.

Criticisms[edit]

Vidoop has met with criticism regarding the claims of their technology's resistance to hacking. For example, researchers at CommerceNet have described a possible attack,^[8] and also published a video of a man-in-the-middle attack executed against myVidoop.com, both on the CommerceNet weblog.

Additionally, questions have been raised about the accessibility of Vidoop Secure to those with visual impairments.^[9]^[10]

Vidoop's authentication scheme essentially consists of a very short secret and a "pre-authorization" cookie. A users' shared secret is a set of 3–5 categories out of a possible 12, which is only 8–10 bits of entropy. Vidoop allows users to enter in their categories in at least two possible orders, reducing the effective secret by a bit. An attacker in possession of the pre-authorization cookie could guess 1-2% of passwords in the three given trials.

References[edit]

^ "Vidoop leaving Tulsa". Tulsa World.
^ "Vidoop.com: Vidoop Secure Resistance to Attack". Vidoop LLC. Retrieved 29 January 2008.
^ "Vidoop Is Dead, Employees Getting Computers in Lieu of Wages". TechCrunch. 30 May 2009. Retrieved 30 May 2009.
^ Evatt, Robert (18 April 2007). "Access Granted". Tulsa World. pp. E1.
^ "Vidoop.com: Sponsors". Vidoop LLC. Retrieved 15 May 2007.
^ Vidoop LLC (7 April 2007). "Goodbye Passwords. Vidoop Debuts New Authentication Technology at Web 2.0 Expo" (Press release). Forbes Business Wire. Retrieved 15 May 2007.^{[dead link]}
^ How It Works (Flash). Vidoop LLC.
^ Dhamija, Rachna (7 May 2007). "Attacks on Vidoop Authentication" (Blog). The New Economy. CommerceNet. Retrieved 15 May 2007.
^ "Vidoop: Hack Proof Log In?". Soxiam Wiki. 9 May 2007. Archived from the original (Blog) on 13 May 2007. Retrieved 15 May 2007.
^ "Vidoop" (Blog). ha.ckers. 18 April 2007. Retrieved 15 May 2007.

External links[edit]

[1] "Vidoop leaving Tulsa". Tulsa World.

[2] "Vidoop.com: Vidoop Secure Resistance to Attack". Vidoop LLC. Retrieved 29 January 2008.

[3] "Vidoop Is Dead, Employees Getting Computers in Lieu of Wages". TechCrunch. 30 May 2009. Retrieved 30 May 2009.

[4] Evatt, Robert (18 April 2007). "Access Granted". Tulsa World. pp. E1.

[5] "Vidoop.com: Sponsors". Vidoop LLC. Retrieved 15 May 2007.

[6] Vidoop LLC (7 April 2007). "Goodbye Passwords. Vidoop Debuts New Authentication Technology at Web 2.0 Expo" (Press release). Forbes Business Wire. Retrieved 15 May 2007.^{[dead link]}

[7] How It Works (Flash). Vidoop LLC.

[8] Dhamija, Rachna (7 May 2007). "Attacks on Vidoop Authentication" (Blog). The New Economy. CommerceNet. Retrieved 15 May 2007.

[9] "Vidoop: Hack Proof Log In?". Soxiam Wiki. 9 May 2007. Archived from the original (Blog) on 13 May 2007. Retrieved 15 May 2007.

[10] "Vidoop" (Blog). ha.ckers. 18 April 2007. Retrieved 15 May 2007.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]