Using captcha instead of usernames and passwords

So in all the mayhem that is/was the first three months of the year, we apparently completely missed news about the Web 2.0 Expo. Well, either that or we completely dismissed it based on the name alone.
Either way, it appears to be a loss to us, given what I’m reading on Andre’s blog about the sessions he’s been to. One of them in particular caught my eye: Vidoop.
Vidoop is an attempt to find a better solution to usernames and passwords. Anyone who’s had to adapt to the rules of Sarbanes-Oxley has had to deal with the inevitable expiration of passwords every 45 days, and having to come up with new passwords that have to be cryptic, yet memorable.
This is one of my major hatreds of SOX-compliance. Every 45 days I have to wrack my brain for up to 10 minutes thinking of one that will actually work (must have mix case lettering, must include a number, must include a punctuation character of some kind, and must be at least 8 characters long) that I won’t forget or confuse with previous ones. Until we went SOX-compliant, I had the same password for years!
But I digress…
Vidoop offers an interesting solution: captcha. Vidoop’s system claims to offer protection for the four big problems:

  • Phishing
  • Keystroke Logging
  • Man-in-the-Middle
  • Brute Force

Vidoop gets around this by providing a login system that first installs a simple key on the computer where a user will login from. But you have to prove that you’re you first, which can be done by providing a unique ID to create the key, done either by voice (over the phone) or by a text message (over your personal cell phone). Done per computer, you need only set up once if it’s your computer. You can also set up temporary connections from your favourite coffee shop system, too.
This first step eliminates brute force, since you can’t even get to the captcha without the key first in place.
Next, you get grid of pictures. You need to identify two (according to the Vidoop demo) pictures, which have a letter or a number assigned. The kinds of images that appear depend on your configuration, but your profile (based on the key you already set up) will pull images from specific categories, such as mountains or flowers. Naturally, not all the images in the grid would be from those categories, to keep things more secure.
Once you identify the letters and numbers and enter them in, you’re all set. Or at least that’s the theory. Naturally, the combination changes constantly, and the numbers/letters are always different. Technically, you’re entering a new password every time. As such, phishing won’t work, nor will keystroke logging or man-in-the-middle.
After having some thought about this, I have a few questions.

  1. Does it matter in what order the numbers/letters are inputted? If not, that reduces security since someone could more likely guess.
  2. Does the case of the letter matter? If not, then you’ve just lost 26 possible combinations.
  3. The demo shows a grid of 12 images, of which you select 2. Can the grid be increased to 16 or 20 images?

The combinatorics is what makes me wonder. Take the minimum requirement for a SOX-compliant password (8 characters, numbers, mixed case, with punctuation marks). That’s (26x26x10x33)^8 = 6.1331711844412782794467972197974e+42. (Oh, I hope I got my math right on that — I flunked combinatorics in university.)
Secure, but that’s also assuming totally non-sensical passwords that people can’t remember. So I’d drop that a few fold to get something more realistic. Still, tough to beat.
Vidoop’s chances (according to the demo, and assumptions based on the above list) is much smaller: One in six attempts. Assuming, of course, that you a) can get the key, b) have an idea of what the user’s categories are, and c) that the images are set up to be difficult enough that only the user knows.
That last one is the tough one. Take Vidoop’s demo: the categories for the user are mountains and flowers. Pretty distinct, and easy to spot. There’s also pictures of keys, music instruments, buildings, and animals. A couple of attempts, and you might figure it out.
What if it were all people? Nameless people. But you have to identify your cousins. Or your nieces. Or your aunt’s friends. Only you know who those people are. To everyone else, they’re just faces.
It’s an interesting concept, but I have to admit the security ramifications make me wonder. I’m sure it’s not exactly SOX-compliant (the rules are probably arcane — it is government legislation, after all), but it still sounds like it covers a lot of the bases.
Now if I can just convince someone around here to let us try it out…

5 thoughts on “Using captcha instead of usernames and passwords”

  1. Did you give their OpenID implementation a try?
    Based on talking to a couple of people at the booth it appears that the demo only scratches the surface and you can scale up in terms of categories and images. They have a team made up of people from the Navy, Microsoft, and a number of other hard core organizations so if they are not SOX compliant at this second I’m sure they are on the way. Considering banks are one of their target markets and all.
    They did stress that they are a security company that leverages the goodness adn freshness of web 2.0 and not the other way around.

  2. Hey,
    To answer your questions, the size of the grid can be changed. the demo showed a 3×3 grid, while on myvidoop it’s a 3×4 grid. you can also customize whether or not sequencing matters; you can turn on case sensitivity, adding numbers, or even have more than 1 alphanumeric character per image.
    Now, onto statistics:
    On a 3×4 grid, where you have 3 secret categories and sequencing isn’t enforced, the probability of someone guessing your secrets is 1 in 73 attempts. When sequencing matters, it is 1 in 440 attempts.
    On a 4×4 grid, it increases to 1 in 187 attempts when sequencing doesn’t matter, and 1 in 607 attempts when sequencing matters. (assuming 3 secret categories needed).
    On myVidoop, we allow 3 failures before an account lockout.
    The above scenario also assumes that someone actually uses computers that you have activated. if they are trying to see your grid on an unactivated computer, they’d have to have access to your email address or your phone.
    Please let me know if you have any more questions or feedbacks. I would be happy to give you an invitation code if you’d like to try myVidoop out.

  3. Koesmanto, thank you very much for the extra information! This helps understand the system a lot more. I think I might hit you up for a trial, too.

  4. If we always stick the “tried and true”, there’s never any change for improvement. Frankly, I think Vidoop sounds like an improvement over our decades-old text-based system. It’s prone to error and security issues, and as we move forward with technology, other solutions make more sense. I think Vidoop sounds like a good solution.
    Assuming SOX doesn’t prevent it, that is. 😉

Leave a Reply

Your email address will not be published. Required fields are marked *