Vidoop is a user authentication service provider that emphasizes financial services markets and OpenID. The company's core product lets users log in to sites by entering letters and numbers on top of images in a chart that only a human eye can identify; now Vidoop thinks it can apply the same principle to CAPTCHA. It's an intriguing possibility, as you can see below. It's not without controversy, however.

As you can see above, site visitors will be prompted to enter letters or numbers found along with a certain combination of images. It's a dramatically different cognitive process than the standard CAPTCHA challenge. In as much as it's different, it's quite interesting.

Vidoop says that as many as 20% of CAPTCHA attempts using other systems result in failure but that its system is much easier for people to use. The images can appear on a webpage, as a pop-up, or in a lightbox. The images are mostly Creative Commons licensed, the company told us - specifically under Attribution and Attribution Share Alike licenses as there is a link to a "credits" page on the bottom of each popup and the "image shield" itself is Creative Commons licensed.

How About Some Ads With Your Kittens and Puppies?

The company also misses out on the social good component of, for example, the ReCaptcha project - where CAPTCHA is used to identify words that optical book scanning machines have been unable to digitize. Those exercises can be as frustrating as any other CAPTCHA implementation. We suspect that many site owners with an alternative offering who both increased usability and cash will prefer Vidoop's solution.

Innovations in visual media online, of which this is an example, are intriguing; but this one in particular stirs a certain ambivalence in me. Maybe I'm an outlier and few other people will feel psychologically imposed-upon by ads in technology such as this. Being asked to mentally parse images of cats from boats from fruit and finding, upon examination, a Taco Bell advertisement - feels like a betrayal of the trust I gave these collections of images when I looked deeply into their boxes.

It certainly looks easier than traditional CAPTCHA, though, and if anyone wants to gaze more thoughtfully into the squares where our sponsors' logos can be found - we're not going to stop you. From a user's perspective, and from the perspective of someone who values my relative cognitive independence, I don't think I feel entirely comfortable with what this company is doing. Perhaps the right to ignore advertisements is an essential one that Vidoop is failing to respect.

What do you think of Vidoop's CAPTCHA solution? You can try out the company's demo of the product for yourself here.

Gartner's survey of 4000 U.S. adults in September 2008, once again demonstrated people's tendencies to opt for convenience over security. It's a trend that has stayed fairly consistent over the years despite the fact that an increasing amount of activity occurs online these days thanks to the growth of cloud computing.

According to Gregg Kreizman, research director at Gartner, "most consumers want to continue managing their passwords the way they do now." But the way they do now is nothing to brag about. It generally consists of one or two passwords which the consumer uses on every website they encounter.

What should be done about this? According to Kreizman, online product and service vendors should redouble their marketing efforts to illustrate the advantages and practicality of routine and stronger authentication for consumers. Another analyst, Avivah Litan, also notes that "enterprises with consumer-facing websites that require stronger controls than weak password authentication alone should continue to augment passwords with complementary mechanisms, such as device identification, geolocation and transaction verification."

Elephant in the Room: Facebook Connect

While these findings are relatively unsurprising, the study highlights one of the top issues when it comes to security: the human factor. For most people, convenience is key, even if it means putting their security at risk. Consumers would rather rely on service providers to protect their safety than change their own age-old habits.

Yet the one thing the study didn't address is what impact Facebook Connect will have on the user authentication ecosystem. Unlike OpenID (new sign-in boxes notwithstanding), Facebook Connect makes sense to the user. People immediately understand what it means to sign in using their Facebook account. What's more, the process is easier and faster than creating a new username/password combination for the website in question. That should prove well for its adoption and acceptance among consumers.

In addition, Facebook Connect solves problems that go beyond the security issue alone. Sites implementing the technology can gain access to your friend lists, too - a boon for social networking-type sites and those wishing to become more social. There's also the great, untapped potential of how Facebook Connect could make the Internet a kinder, more transparent place. When people have to be identified - and are not anonymous - the chance they'll engage in "troll-like" behavior (leaving rude, disruptive comments) is reduced. It could also impact sites that rely heavily on user reviews. No longer could marketers, business owners, and content producers game the system by leaving glowing - yet fake - reviews which are then hoisted upon unsuspecting visitors.

For those reasons and more, Facebook Connect could very well become the next big authentication methodology on the web. Personal opinion aside, it's hard to ignore the potential of this social networking giant.

But while Facebook Connect may eventually solve the security issue of a commonly used username and password among consumers, it's important to realize that it will introduce security concerns of its own. If this technology becomes ubiquitous, we'll have to face the consequences of putting all the power of authentication into the hands of one private company, which many fear do not have our best interests at heart - especially when it comes to privacy.

And that makes us think that perhaps a common, often-repeated password may not be such a bad thing after all. 

Authentication is an area of security that is more important than ever, especially since we're now using the web to access all sorts of private data, from personal communications to online banking sites. Yet as those services become more sophisticated and complex, so do the techniques used by criminals wanting access to our private information. Although many of these sites force you to create strong passwords, a password alone is not your best defense against identity thieves. For the best security, multi-factor authentication is needed, and that's what Yubikey provides.

At first glance, you may dismiss Yubikey as yet another smart card to carry around. However, the difference between smart cards and Yubikey is that smart cards require client software. Yubiky, on the other hand, identifies itself to the computer as a USB keyboard. This means there's no software to install - you just insert the key, press the button, and it will generate a one-time password for you to use.

This makes Yubikey more like PayPal's Security Key, a USB device which generates a temporary 6-digit security code every 30 seconds. However, the PayPal key requires you to enter the security code yourself each time you login. Yubikey, on the other hand, will enter your code for you.

Yubikey + OpenID

One of the most exciting uses for Yubikey is combing it with your OpenID for securing your online identity. The company runs their own OpenID server which can be used in combination with Yubikey to generate a secure OpenID. By pressing the button on the USB key, you're provided with an URL which you can use on any site which supports OpenID. You can also set up your own web site to work with Yubikey if you want a more personal URL. (To see this in action, click here for a short screencast).

Yubikey's Open Source Solution

Combining Yubikey with OpenID is just one way to use this device. Yubikey also supports authentication via RADIUS and PAM as well as other systems. Also, since Yubikey is open source, anyone can set up a server and use the company's web APIs and open source SDK to integrate it with their online services.

Already, developers have begun to use Yubikey in combination with numerous other systems. For example, Rohos has combined their Rohos Logon Key with Yubikey to provide secure authentication for logging into your Windows PC. Online password manager, MashedLife, also supports Yubikey sign on for their registered users. Henrick Schack created a WordPress blog plugin which uses Yubikey to provide an extra layer of security for logging into WordPress. A company known as Collective Software has created an Active Directory solution for use with workstation logon, network applications, extranet web publishing, and VPNs.

Those are just some of the applications available today, but the possibilities are endless.

Will Yubikey Take Off?

The security community has high hopes for Yubikey. Well-known security analyst, Steve Gibson of the "Security Now" podcast dubbed Yubikey "the coolest new secure authentication device." He felt the device had potential because of its open source nature: "...no subscription fee, lifetime free authentication...as long as you've got a USB port, this is the answer," he says.

The device also has potential because of the way it's built: small and thin enough to be carried into a wallet. It's also cheap to manufacture so it can be produced in volume for a low cost. These design considerations were no fluke, either. Yubikey's creator can CEO, Stina Ehrensvrd, put a lot of time an effort into the aesthetics, even speaking with experts at both Verisign and eBay to help her shape the product into what it is today.

Although Yubikey may not present the ideal solution for universal authentication, it could at least offer another layer of security to those web sites that contain the most private and personal information. With the growing number of identity theft victims today, extra security may appeal to those who have been burned in the past or who are just very cautious with their personal info online. It's easy to imagine banks offering Yubikey or similar solutions to their customers as an optional additional security mechanism, similar to how PayPal offers a security token to their users.

The Yubikey is available for purchase from the company's web site at prices which start at $30.00 and decrease with the number of keys ordered.

About UsableLogin

UsableLogin is a new application from Usable Security Systems which allows you to choose one simple code word and use it to log into any web site. That codeword can be as simple as your dog's name ("fido") or your favorite color ("pink"). Why is this possible? Because the code word is just one layer of security - behind the scenes, the software creates another password for you for the actual web site. The password it creates is strong, complex, and highly secure, just as we know passwords should be.

How It Works

To use UsableLogin, you simply download the browser plugin. After you pick a background image and your easy-to-recall pass code, the login box will appear consistently across every web site you access, whether that's Facebook or your bank.

Web sites can also choose to support UsableLogin by putting a small bit of JavaScript code on their site.

Here's what UsableLogin sign-in boxes look like:

When you log in to a web site, UsableLogin cryptographically combines your simple code word with secret data pulled from separate sources: your computer and Usable Security's servers. This data is combined to create a secure verifier which is used as your complex password. Your code word is never stored and web sites never see it.

UsableLogin can be used on any web site that accepts passwords. It will also work on any operating system and browser.

UsableLogin on Gmail

The Usable Login Dashboard

From the UsableLogin homepage, you can manage all your accounts and view your history - when you last logged on and from which computer. You can also authorize and deauthorize computers from this dashboard, so for example, if your laptop was lost or stolen, you could make sure that no one who got a hold of it could log in to your accounts.

Security Made Easy

Ask any I.T. professional about "multi-factor authentication" and they'll tell you how much more secure it is against attacks. Think of it this way: on your front door you have a doorknob with a lock - that's the extent of protection you have today. Add a deadbolt to the mix, and even though your door's lock is so much easier to pick, the extra lock (the deadbolt) makes it much harder to get into your house. That's multi-factor authentication. (OK, it's actually much more complicated than that, but that's the easiest way I could think to explain it.)

If you want to learn more about UsableLogin, you can watch their entire presentation from DEMO08 here:

UsableLogin will become available in early 2009. You can sign up on their homepage to be notified when it's released.

The story is about a GMail archiving application being sold by an unscrupulous coder who programmed the app to forward all GMail usernames and passwords from customers to his personal GMail account.

Dustin Brooks is a reader of Atwood's excellent blog Coding Horror and sent Atwood the story of his sleuthing around the app, called G-Archiver.

"It didn't really have the functionality I was looking for," Brooks wrote, "but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned.

"I opened up a browser and logged in to gmail using his account information. It still worked.

"Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine. I decided to go ahead and blast every email to the deleted folder and then empty it. I may have accidentally changed the password and security question to something I don't remember as well, whoops, my bad. I also contacted google to erase this account as I didn't see a way to delete it myself."

Way to go, Dustin Brooks.

Authentication Standards and Best Practices: A Key to Innovation

How often have you given your usernames and passwords to various services, including webmail, to a new application you want to check out? I know I do that far too often. I decided I'd had enough last week when yet another application asked for my Twitter username and password. Twitter pays my rent, so I can't be giving my credentials out to just anybody. I don't need to get G-Archived.

New 3rd-party Twitter clients are just not going to get any attention from me until Twitter offers an authentication protocol that doesn't require me to provide my username and password. It's pretty insane if you think about it, given how central the Twitter API is to the company's viability. I guess if you're struggling to keep your pants up at a party, though (service up time), then there's no time to make sure your fly is zipped before meeting the other guests.

When users decide that they won't give out their credentials to random startups, the user pipeline is going to dry up and innovation is going to be slowed substantially. Maybe that's already happening and a world of potential support for innovation is already absent.

With the release of the Google Contacts API this week, developers don't have much excuse to ask for GMail username and password. Unfortunately, Google didn't build its API on a standard like oAuth, so that framework won't spread as far and wide as it might.

Niall Kennedy has written a great article about authentication best practices and the oAuth website is a good place to go to read more on this topic.