It’s not a new problem. With all the “Web 2.0″ websites come more and more usernames and passwords to remember and catalog. We’ve been trying to figure out a way of managing all that data, securely, for a while now. OpenID has been embraced by many as the answer. Take a website you trust and that knows you (even your own), and have it broker your connection with other sites. The catch: That’s fine for sites that take OpenID logins, but most don’t.
There are desktop software solutions like Roboform (PC) or 1Passwd (Mac), but they won’t help you when you’re away from your main computer, and they don’t stop hackers and other evil-doers from stealing your password when it’s transmitted to the site.
Vidoop has come up with an interesting, multi-layered approach to both the juggling password problem and the evil-doer problem with a solution that uses visual cues instead of passwords. They’ve taken their technology and now offer it in a free, soup-to-nuts consumer package they call MyVidoop.
Let’s take a look.
First of all, MyVidoop is an OpenID provider. Sign up for a MyVidoop username and your OpenID username is http://username.myvidoop.com. For sites that take OpenID logins, you’re all set.
Still don’t get OpenID? Then watch this entertaining video the Vidoop folks put together that explains conceptually how it all works:
Once you’ve trusted sites, you can manage them easily from your MyVidoop page.
For sites that don’t support OpenID, MyVidoop offers a Firefox plugin (IE support promised, no word on Safari yet) that lets you store your passwords either on MyVidoop’s servers or in an encrypted file on your computer. The plugin, when activated, will offer to auto-fill the site login fields when you visit the page again.

This feature works best if you have a single login per site. If you have multiple identities, you’ll have to visit your MyVidoop page and click the URL in the saved site list to login with that unique username/password. If you’re not using Firefox, or you don’t have the plugin installed, you have to copy/paste your login information. Otherwise, it works similar to the 3rd party desktop applications or even the auto-fill built in to the browser, but if you store your passwords on MyVidoop’s servers you can also get to them from any computer. I’ve asked the company specifics on how they keep those stored passwords secure and backed up, since their technology primarily focuses on the login process. Until you know this is a company you can trust, you may be better off sticking with the local saving option.
Keep in mind that when MyVidoop stores the encrypted file locally it’s only accessible from that one browser. A much needed feature is the ability to decrypt that local file outside of the MyVidoop site. So your locally stored file from Firefox is not available when you login from Safari, and visa versa. Same if you jump between Firefox and IE on a PC. You can save an encrypted file and reopen it from within MyVidoop, but that requires maintaining multiple local copies of the same data. Awkward.
If your life is a mix of sites that do and do not support OpenID, MyVidoop is one-stop-shopping to manage it all in one interface.
So, you say, couldn’t someone just get your username/password for MyVidoop and cause mayhem and destruction on your life? Not so fast. That’s where MyVidoop gets interesting.
Logging in to MyVidoop uses Vidoop Secure. What’s so special about Vidoop Secure? I’ll tell you. When you register, instead of picking a password you pick 3 visual categories that you keep secret. Like Bank of America’s sitekey, people tend to remember pictures better than they remember words or phrases. The registration process walks you through:

Once you’re registered and good to go, when you login to MyVidoop your password is entered by picking the letters next to the 3 visual categories you picked.

The pictures change each time, so if “flowers” is your category you won’t necessarily see the same flora the next time. The position of your categories change on the grid, as does the categories in the 9 boxes that aren’t your choice. Even if someone records that you typed “bxr” this time, it won’t matter because that won’t be the accepted code the next time you log in. This stops phishing, since the fake site has to know to include your 3 categories. If you don’t see all 3 of your categories in the grid, you know something is wrong. A CAPTCHA wants to make sure you’re a human being. Vidoop wants to make sure you’re you.
But what if evil-doers start guessing at your categories? They have to get that far. If you are not using a browser on a computer that you’ve previously registered in MyVidoop, the software will first verify you via a one-time activation code in some out-of-browser way. You can have the software call you on the pre-arranged voice phone (it’s a recorded message), text message or registered email address. Your choice, depending on where you are. Whichever method you choose, you must enter the code in the window to proceed. Once successful, you have the option of having MyVidoop remember that location. Then and only then are you presented with the visual grid for login.
The company teases a mobile solution on their site, but there doesn’t appear to be any real-world examples.
Vidoop is looking to be profitable through a number of avenues. First, companies can license the Vidoop security solution for their own sites. They are also offering sponsorship opportunities on the visual images. That’s not just any pizza in the food category image…that’s Mazzio’s Pizza. Roll over the image for an ad. However, if the only site that has this login technology is MyVidoop and it doesn’t build a user base quickly, that may not go far.
The Bottom Line:
Vidoop/MyVidoop shows some promise towards consolidating the mess of usernames and passwords we have to remember in a very safe and secure manner. It’s not perfect yet. Sometimes it can be difficult to make out whether or not the picture is in your category (I’d avoid “toys” and “telephones” as category choices for that reason…I had trouble with those). The plugin can be a bit temperamental, and it will only autofill one ID per site, although you can save multiple IDs if you choose to fill them from within MyVidoop.
If you’re worried about someone snooping on you when you enter your passwords, or you like the idea of managing OpenID trusted sites in the same interface as you save your other usernames and passwords, then MyVidoop is definitely worth considering. Otherwise, it may be more trouble than it’s worth, especially for a startup. I’d especially urge caution until MyVidoop allows its password file to be decrypted outside of MyVidoop.
{"source":"https:\/\/gigaom.com\/2007\/10\/01\/myvidoop-tries-to-be-everything-you-need-for-login-security\/wijax\/49e8740702c6da9341d50357217fb629","varname":"wijax_5854f7c31cacd7ab0ea0b00c36c94772","title_element":"header","title_class":"widget-title","title_before":"%3Cheader%20class%3D%22widget-title%22%3E","title_after":"%3C%2Fheader%3E"}