Vidoop's dynamic visual grid is the latest attempt to solve the long-standing password problem. See how Vidoop works, why Vidoop might succeed where smart cards and USB tokens have failed, and the questions that Vidoop still needs to answer.
Issue: Vidoop visual grid as a password replacement
As I wrote earlier this spring from the Web 2.0 Expo, one of the most innovative new things that I've seen in the IT industry in 2007 is Vidoop's implementation of visual image recognition as an authentication system to replace passwords.
There are essentially two solutions that Vidoop offers:
- Vidoop Secure — This is the software that makes the whole thing work. It runs on a backend server and can be licensed by businesses to replace their existing password authentication system(s) across the enterprise. The software was designed to integrate with LDAP and Active Directory. It has been adopted by more than 40 local and regional financial institutions.
- MyVidoop.com — Still in Beta at the time that I'm writing this, MyVidoop.com is Vidoop's public implementation of its visual grid. It runs Vidoop Secure on the backend, and on the front end it can be implemented with any site that uses OpenID. The goal is to provide stronger Web authentication and help users so that they do not have to juggle so many Web passwords.
I've tested the Vidoop system through an invitation to the MyVidoop beta and here's how it works:
1. You create a user ID that becomes a URL (userid.myvidoop.com).
2. You choose three image categories (e.g., houses, computers, people).
3. You have to activate the computer you are using as a legitimate user of your ID. This is done via a confirmation code to your e-mail or a text message to your cell phone.
4. Once you receive the confirmation code, you enter it into the MyVidoop screen when you log in and then you no longer have to activate that computer the next time you log in from that computer. However, you will have to activate each time you log in from a new computer to confirm that you are you and not someone trying to crack your password.
5. Once you enter your user ID (and have activated it on your computer), you receive your Vidoop visual grid. You locate the three images that represent your categories and enter the corresponding letters into the Access Code field.
The grid is dynamic, so the images and the letters change positions each time the grid appears.
Here are two videos that further explain the Vidoop solution. The first is a five-minute Vidoop overview from the Web 2.0 Expo, and the second is a Vidoop-produced video that delves into the Vidoop Secure technology.
IT pros have long known that passwords are one of the weakest links in enterprise security, and multiple vendors have developed solutions to try to overcome the password issue. For example, smartcards and USB keys have been proposed as two-factor authentication mechanisms. However, neither of them has ever been widely adopted because they are expensive and difficult to deploy.
Vidoop has a number of advantages that could allow its visual grid to succeed where smartcards and USB keys have failed in enhancing authentication on a large scale:
- It's less expensive and easier to deploy because it does not involve physical hardware.
- The visual grid is simpler and more intuitive for the average user to understand.
- It scales better because it is software based.
- Vidoop is currently developing modules for VPN and Outlook Web Access, which are two of the biggest security soft spots in the enterprise.
Of course, Vidoop also has some drawbacks and some questions that it will need to answer:
- How well will it translate to mobile? The world is becoming much less tied to computers and much more involved in computing with mobile phones. Vidoop will need its solution to translate seamlessly to mobile.
- The performance and reliability of image loading needs to improve. With MyVidoop.com, there are times when images load slowly. If users have to wait for images to load before they can log in, this solution will never fly. The images have to load instantaneously and can never fail to load on any platform.
- Is it wise to hitch the Vidoop wagon (at least on the Web) to OpenID? The jury is still out on whether OpenID will be universally or even widely adopted. The Vidoop solution is good enough to transcend OpenID.
- Similar solutions such as PassFace are already offering a competing approach to visual grid authentication. What if Microsoft or IBM jump in?
What do you think of the Vidoop solution and the potential of a visual grid replacing passwords for authentication? Join the discussion.
I have four Beta invitations for MyVidoop.com and I will send them to the first four TechRepublic users who send me a message.