A Tulsa company thinks so. Never heard of this before...what do you techies think of the idea?

SAN FRANCISCO -- Vidoop, a Tulsa-based tech company, unveiled Tuesday an innovative new way to log onto Web sites that replaces unchanging passwords with a picture-based interface.

Luke Sontag, president of Vidoop, told the assembled tech company developers and representatives at the Web 2.0 Expo here that Vidoop's Dynamic Image Grid provides a much higher level of security sorely needed for most Web sites.

"It's time to secure the Wild West of the Internet, and your friends in the Silicon Prairie are circling the wagons," he said.

Continuing the Wild West metaphor, Sontag said most sites are like old-style safes that could be opened by blasting off the hinges. Vidoop was compared to bolt-action safes that remain shut even after the hinges are destroyed.

Instead of a static password that can be stolen by malicious key-logging programs that record keystrokes and send them to online thieves, Vidoop users prove their identities by choosing categories and finding pictures that match them.

"You need a human brain to process the information, so it cuts out all automated hacking," he said.

Sontag said the process is technically complex yet intuitive.

"It's easy on me -- I just find the boat and the airplane (images)," he said while demonstrating the process.

The program also authenticates computers used by Vidoop users and only generates the image grid on approved computers during log-in attempts.

Vidoop intends to license the technology to Web sites, particularly those for financial institutions. Sontag said a Fortune 500 company intends to replace its log-in system with Vidoop's by July, though he declined to reveal the name of the business.

The company is also finalizing a free log-in portal that will allow users to log in once to hundreds of sites that use Open ID.

Vidoop currently employs 20, though company CEO Joel Norvell said the company could grow to 100 within a year based on the popularity of the product.

Sontag and Norvell, both Tulsa residents, said they met during Norvell's yoga classes, and eventually decided to form a net-based company that could provide a needed benefit.

"Security is the biggest pain point for most Web sites," Norvell said. "Logging in is the weakest link in the chain."

Starting two years ago, the two recruited a number of experienced designers, including Scott Blomquist, former lead developer for Microsoft's Windows multimedia search team, and others from the Naval Research Laboratory and the National Institute of Standards and Technology.

Norvell said it was surprisingly easy to convince people to move from areas known for technological development to Tulsa.

"Developers are a very mobile population, and when they heard what were doing, they wanted to move here," he said.

Norvell said the programmers quickly hit upon the image grid idea during brainstorming sessions, and spent the last two years perfecting it and conducting secret tests with volunteers in Vidoop's headquarters in the Bank of America building in downtown Tulsa.

Tuesday's unveiling coincided with the official launch of the company's Web site, www.vidoop.com (http://www.vidoop.com/), and its Open ID portal, www.myvidoop.com (http://www.myvidoop.com/).


http://www.tulsaworld.com/business/article.aspx?articleID=070418_238_E1_hTuls34656&breadcrumb=Article%20Search

"It's easy on me -- I just find the boat and the airplane (images)," he said while demonstrating the process.

I know his password! ;)

if they are user chosen then this might be too easy for people that know you to guess your combination, or even someone that has seen your myspace

also i don't see any reason that if you could get a key logger on a computer that you couldn't get something that would track outgoing web requests, which is all that sounds like this uses

if they are user chosen then this might be too easy for people that know you to guess your combination, or even someone that has seen your myspace

also i don't see any reason that if you could get a key logger on a computer that you couldn't get something that would track outgoing web requests, which is all that sounds like this uses

Don't the letters change randomly for the pictures?

i don't think they are talking about captchas

now i am kinda curious on the process to allow a computer to be authorized...

the rooster crows at midnight.

A new way to log in

1. Vidoop system has user choose several picture “themes.”

2. At log-in, individual types user name.

3. User then looks for pictures with selected themes from a larger grid of choices.

4. User types in randomly generated number or letter appearing in each pre-chosen picture box.

5. If done properly, access will be granted.

What Vidoop does


Vidoop’s authentication technology can be licensed by and incorporated into any Web site that requires a log-in, or used remotely through www.myvidoop.com (http://www.myvidoop.com/) for sites that allow remote log-ins.

In practice, the user types in and submits her user name. Instead of asking for a password, a grid of pictures pops up.

Each of the pictures features a different theme, such as dogs, flowers, money or outer space. The program randomly generates a number or letter for each picture and places it in the corner of each picture.

Rather than choosing an unchanging password, users select several themes. When logging in, users look for pictures within their themes, note the character in the corner, and enter that as an access code.

For example, the user has selected dogs, space and money as her themes. In the accompanying picture, the letters I, G and L appear in the corner. To log in, the user would type the three letters in any order, such as “igl.”

Because the user never types in the same access code twice, malicious programs that record keystrokes and transmit static passwords to scammers would not be able to steal an access code that works after that session.

Additionally, the order of the themes in the grid are randomized, and each theme has hundreds of different pictures. The money theme could show a picture of a dollar bill one session, and a picture of Scrooge McDuck diving into his money bin the next time.

Luke Sontag of Vidoop said it takes human-level thought processes to realize the pictures belong to the same theme, so programs that try to automatically log in are defeated.

Furthermore, Vidoop only produces the grid on computers that have been authenticated by an Internet “cookie,” or packet of data, received by registering on the site.

If a user tries to log into a computer that hasn’t been authenticated, Vidoop offers to transmit an authentication code via phone or e-mail. This also notifies the user if anyone else attempts to enter her account.

After the user enters the authentication code, the log-in grid pops up normally. Computers can be activated permanently or temporarily, which allows users to access the site from an Internet cafe, for example.

so basically what you are saying is it might be more difficult for me to get to my pron?

so basically what you are saying is it might be more difficult for me to get to my pron?

Easier for you, more difficult for the hackerz. :D

ok, that sounds harder to crack, but i'd rather do something a bit more simple and still use a password

it already feels like i'm giving a blood sample or something to get into my bank account

Easier for you, more difficult for the hackerz. :D

i don't know about that... all that graphical nonsense would get annoying over and over

it sounds like they are trying to get around that with their single sign-on process

i don't know about that... all that graphical nonsense would get annoying over and over

it sounds like they are trying to get around that with their single sign-on process

Remembering/storing/securing numerous PW's isn't?

i couldn't tell you how many passwords i have to keep track of

passwerds ar da suc...

Alright, I watched the video.

Two comments:

1. The thing that makes it more secure is the fact that you have to install a "token" on your computer for the thing to work at all. This token is unique, and is probably communicated as a cookie.
2. The thing that makes it less secure is that when the pictures are presented, there are only twelve pictures and hence only twelve possible characters in the authentication string. The probability of just guessing it went up one hell of a lot.

That's about all you can say at this point, unless they're providing deeper technical details elsewhere. Depending on how they're using that token -- is it a cookie, or is it a part of a public/private key combination -- the level of security could go up or down quite a bit. I would bet it's just a damned cookie though, so it's probably pretty low.

i couldn't tell you how many passwords i have to keep track of

Exactly.

Remembering/storing/securing numerous PW's isn't?


that is why i have only 1.

easier on me...and da hackerz

that is why i have only 1.

easier on me...and da hackerz

just go ahead and pm it to me, I dont feel like working too hard tonight.

Bank of America's online banking has been doing this for almost two years.

Bank of America's online banking has been doing this for almost two years.
I guess they're putting that five bucks they charge me to cash one of their members checks to good use.

Pinheads.

Bank of America's online banking has been doing this for almost two years.

It's not the same thing. The BOA system says, "If the image presented doesn't match the image you selected, don't put in your password."

This system basically says, "Select a couple types of pictures. When you go to log in, select those pictures in order instead of using a password."

If they have pics of Cindy Crawford and Claudia Schiffer.........

IN !

NICE to KNOW YOUR PASSWORDS ARE SAFE!!!