The Mooltipass
The Mooltipass Mini is an evolution of the original Mooltipass. The open-source project received over $125,000 in funding on the Indiegogo crowdsourcing platform back in 2014, enabling the team behind the device to make the Mooltipass concept a reality. The Mini is based on the same ideas but features a much smaller design, making it more practical and giving it a wider appeal.
The humble username and password remains the authentication method of choice for most online services and platforms. Typical web users need to remember dozens of distinct credentials for the apps and websites they use. Keeping track of them all without making paper notes can be an exasperating challenge, creating reports of “security fatigue” where consumers have become disillusioned with staying safe online.
Mooltipass Mini physical password store
Mooltipass
This is where the Mooltipass steps in. It’s a physical password store that allows you to save your passwords digitally but independently of your computer. Passwords are secured with a PIN-protected smartcard. When you’re using your PC, you connect the Mooltipass, insert your smartcard and verify your PIN. When you visit a website, the Mooltipass browser extension will prompt you to save your credentials. On subsequent visits, you’ll be able to login by pressing the button on the Mooltipass.
Mooltipass has launched a new Kickstarter campaign to enable it to commercially produce the Mooltipass Mini. The company sent me an early sample of the finished hardware for the purposes of this review.
Design
The Mooltipass Mini is formed from a simple aluminium body. Its compact size and light weight makes it highly portable, enabling you to take it with you wherever you go. The device measures in at 79x37x12mm, around the same size as two USB sticks placed side-by-side.
The brushed metal finish helps to lower the risk of knocks and scrapes damaging the device, preventing your passwords being destroyed if the Mooltipass gets dropped on the pavement. It’s also visually attractive, although the varying sizes of the display bezels make the device feel lacking in symmetry and a little off-balance. Other than this annoyance, the palm-sized rectangle seems very well-made.
Mooltipass Mini physical password store
Mooltipass
A small scroll wheel on the right side of the Mooltipass is used to interact with the on-screen menus. Rotating the wheel scrolls the text on the display up or down. Clicking it inwards confirms an action. Multi-input controls such as this can be confusing but Mooltipass has implemented the wheel thoughtfully here. It is tactile, responsive and well-suited to the Mooltipass’ limited on-device functionality.
Usage
To get started with the Mooltipass, you need to register one of the supplied smartcards with the device. On connecting to your computer for the first time, you’ll be prompted to insert a smartcard and create a PIN code to protect your account. To start storing passwords on the Mooltipass, you’ll also need the free Chrome app and extension, available from the Chrome Web Store or the Mooltipass website.
Accounts are added to the Mooltipass in one of two ways. You can use the standalone Chrome app to manually add credentials. This enables you to store any username and password on the device. Alternatively, the browser extension can automatically detect login forms on websites. When you supply your details, the extension can save them to your Mooltipass. Next time you visit the site, an alert will display on your device. You can acknowledge the login attempt by clicking the scroll wheel.
Mooltipass Mini physical password store
Mooltipass
The Mooltipass’ star feature is its ability to work with any web browser and device. Once connected to your PC, the Mooltipass presents itself as a USB keyboard. This is how it enters your passwords into the browser — it sends them as keystrokes, as if you were typing them. Because the Mooltipass identifies itself as a regular keyboard, it is compatible with any device that supports USB input devices. It will work with PCs on any operating system, tablets, smart TVs and even smartphones capable of hosting USB On The Go (OTG) connections.
When using the Mooltipass with anything other than Google Chrome, you’ll need to enter your login details manually using the “Login” menu on the Mooltipass’ onscreen display. This presents a list of all your saved user accounts. After you’ve selected the credentials to use, you’ll be prompted to confirm the Mooltipass should type your username and password. While a little time consuming, the procedure works well. It would be simpler if you only had to confirm the login attempt once, rather than a separate prompt for the username and password entries, though.
Impressions
I’ve been using the Mooltipass for a couple of weeks. After storing the majority of my online credentials on the device, I’ve been able to strengthen the security around my accounts and simplify the sign-in procedure when using a new device. Choosing passwords for new services doesn’t need to be a chore anymore — the Chrome extension can generate random strings of text to use as passwords and automatically store them to the Mooltipass.
Using the Mooltipass allows you to take a proactive approach to security without even thinking about it. To get the most from the device, you should disable your browser’s password management features and stop checking the “stay signed in” box on websites. This defeats the point of the Mooltipass and means you’ll rarely have to actually use the device.
Mooltipass Mini physical password store
Mooltipass
It’s simple enough to login when you have your Mooltipass connected. When you visit a login page, the Mooltipass will display a prompt to enter your credentials. Pressing the scroll wheel in confirms the login.
This method can be a little cumbersome, especially if your Mooltipass is some distance away from you on your desk. There is an alternative though that’s even easier to use. The Mooltipass has a built-in accelerometer that’s activated when a sign-in prompt is displayed. You can simply tap your desk and the Mooltipass will log you in. In my experience, the accelerometer generally works well if tapped forcibly, although I have known it refuse to detect any input. It’s possible to change its sensitivity in the Mooltipass app.
I also ran into a few other problems at various points, all of which concern the currently available Chrome app and extension. Most frustratingly, on multiple occasions the Chrome extension failed to work as intended when the Mooltipass was locked. It would warn me to unlock the Mooltipass device but then never display the “confirm login” prompt once I’d entered the PIN. It’s a software bug and one that should get resolved in the future.
Hardware advantage
The Mooltipass’ functionality does overlap with the password storing capabilities built into modern web browsers. However, browser password safes could be hacked because they’re implemented purely in software. The Mooltipass puts up a physical barrier, preventing anyone from accessing your passwords without first obtaining your smartcard, PIN code and a Mooltipass. It’s this characteristic that makes the Mooltipass so secure and ideal for people concerned about online cybercrime.
“We believe in hardware based password keepers because of the immense attack surface of software password keepers,” said Mathieu Stephan, creator of the Mooltipass. “As illustrated in our crowdfunding campaign, when using software like Lastpass or Keypass, your master password is located inside your computer memory, together with your credentials database. This means that a malicious program could get access to your complete database without you knowing it.”
Mooltipass Mini physical password store
Mooltipass
Passwords are stored securely using the industry-standard AES-256 algorithm. Passwords are stored on your Mooltipass and the accompanying encryption key on the smartcard. This keeps the key separate from your data so hackers need to obtain access to both before either are usable. Even if an attacker achieves this, there’s still the PIN code to brute force. Entering the PIN incorrectly more than four times will destroy your data. You can create encrypted backups and clone smartcards though so there’s little risk of locking yourself out of the Mooltipass.
“With Mooltipass, we reduce to a strict minimum the attack surface,” said Stephan. “Our trusted device only runs our firmware and nothing else. Moreover, having it being recognized as a standard keyboard (when using manual password output) allows it to be compatible with every program out there.”
Limitations
The concept behind the Mooltipass is sound. However, there are limitations in the current implementation that would make for a better overall experience if resolved. Perhaps most notably, the companion app is only available for the Chrome web browser. The Mooltipass can type passwords into any device that supports external keyboards. However, you’ll need Chrome installed to add new credentials to the device.
Mooltipass is currently working on a version of its browser extension for the Firefox browser. It’s in testing now and will soon be publicly available. However, I feel a version of the Mooltipass app that isn’t dependent on having Chrome installed is a more pressing concern. As a key selling point of the Mooltipass is its ability to work with any platform and login app, it seems strange that Google Chrome has to be installed to actually add passwords to the device.
Mooltipass Mini physical password store
Mooltipass
Thankfully, work is already underway in this area. A community member is developing a cross-platform desktop app called “Moolticute” that eliminates the need for Chrome. It’s currently in an early release state. After trying it out, it suits my use of the Mooltipass better than the Chrome app. The open-source nature of the project allows you to choose an app to use or even build your own.
Verdict
When Mooltipass contacted me a few weeks ago, the concept the company pitched intrigued me. The funding achieved by the original Mooltipass of two years ago bears testament to the value of the idea. The Mini takes the device a step further. It’s a generally well thought out solution to a very real problem that computer users face every day.
The compact size and platform-agnostic nature of the Mooltipass mean it truly can be taken anywhere for use with every device. The hardware is attractive and robust, easily capable of fitting in the palm of the hand yet strong enough to resist the turmoil of everyday life. While I maintain the display bezels don’t make for the cleanest fascia, most consumers are likely to overlook this minor issue.
Where the Mooltipass really falls down is with its software. A temperamental browser extension and limited Chrome companion app don’t do the device and the concept justice. However, work is already being done to remedy this and the Firefox extension should be ready to go by the time the device launches. At the moment the Mooltipass is unlikely to be of much value to people who don’t use Chrome though. That includes the sensitive enterprise environments that could benefit the most from the Mooltipass.
Mooltipass Mini physical password store
Mooltipass
Because the Mooltipass’ problems lie primarily with its software, there is hope for the future. After speaking with Stephan, it’s clear the team is already working on making the Mooltipass app more widely accessible. Because the code for the project is completely open-source, anyone can jump in and contribute a fix. This community involvement has already paid dividends, such as in the creation of Moolticute. Once the app is more mature, it will end my most major complaint about the device, its dependency on Chrome.
Mooltipass launched the Kickstarter campaign for the Mini only 24 hours ago. It has already achieved well over half of its funding goal. The company expects to start shipping the Mooltipass Mini to customers in January. Retail pricing will be around $85 for the device and two smartcards.
Disclaimer: The Mooltipass Mini used in this article was a pre-release unit running pre-release software supplied by Mooltipass for the purposes of this review.
