A year and a half ago I helped support the Mooltipass on Indiegogo. I originally heard about it on Hackaday.com, but what really captured my attention other than it being an offline password manager, is that it was going to be designed by the the community. Anyone could volunteer time to help with the project. Unfortunately I was unable to do so with the many other things I had going on. But at least I could support the project by backing it.
The Mooltipass is a USB encrypted (AES256) credential storage device that acts like an HID keyboard. It can be used with or without the Chrome app and the extension. The extension allows it to detect which site you are on and load that credential after an approval from the on board display, as well as manage the device settings and credential database. The goal of the Mooltipass is to minimize the possible attack vectors on your stored passwords. I use LastPass which has a larger attack surface and offers greater convenience, so for the time being, I am using both systems. Security for the Mooltipass is accomplished by being a physical device as well as having a removable smart card. Without the smart card and pin number, you cannot access the credentials even if you have the backed up binary blob. There is also a permanent lockout after three failed attempts of entering the pin. Which I find a bit short since with the touch buttons it is easy to mess up. I should also mention that the pin isn’t limited to 0-9; it has used all of the possible hex values, 0-9, A-F. Pretty neat!
Since the Mooltipass is a physical device pretending to be a keyboard, it will work with sites in which the login form isn’t detectable, such as a Flash based web app, which is another great feature. This is accomplished by using the onscreen display to send the credentials. An unintended use that I found is that is greatly reduces keystrokes for non web based logins which is helpful for people like myself who have tendentious. I realized with the Mooltipass how many times a day I am entering in my credentials.
Here is a picture of the original which came in plastic, with an aluminum premium option. Both are nice with the touch wheel but quite bulky and standout on your desk, especially at work. Although, it has made for a great conversation starter that’s for sure.
Fast froward to 2016 and the group is at it again developing the Mooltipass Mini, a small compact version with a click wheel for navigation. At this point I had the time to invest and become part of the beta team to test and give feedback to improve the design before it is released on a crowd sourcing site near you.
Above is the picture of the first beta unit. This one has both a click wheel and joystick so we could test both by flashing various firmware versions. We tested the joystick first and then the click wheel. As a group we came to the conclusion to go with the click wheel. Regardless of the input method, I find the mini much better as it takes less desk space and you can easily stash it in a bag.
Pictured above is the next revision of the mini with a tinted ultrasonic welded plastic housing which protects the display. There are a few tolerance issues being worked out but over all it is very nice. As for the plastic, we were testing lighter and darker tint versions. That is until we saw pictures of an aluminum version!
We liked it so much that instead of it being offered as a premium version, the consensus is that it should be the only version. Some of the prototypes that were recently sent out also included an accelerometer! This helps with having to click the wheel from the side to approve a credential every time. So far for work, I will use the original one where I can just tap the front to approve and load a credential from favorites, plus it will have a separate set of credentials. But the mini will be my go to one for everywhere else – it’s so convenient for traveling. One thing I need to try is entering credentials on my phone via an OTG USB cable.
Which color would you choose?