How many online accounts do you possess? Chances are, you’re now using dozens of services, ranging from social media accounts through to banking sites. As a security best practice, you should use a unique password for each one, but for many users this will prove an exercise in frustration when it comes to remembering credentials.
Although built-in browser and operating system password safes can alleviate this problem, you’re still entrusting your secrets to a database on your device - or a third party’s server. This is where the Mooltipass comes in, a hardware password keeper that aims to store your credentials securely while providing physical separation from the rest of your data.
The new Mooltipass Mini BLE is the third generation of the Mooltipass, an open-source crowdfunded project that saw its first device release in 2015. The palm-sized BLE has a rigid aluminium chassis, a USB-C port and a 256x64 OLED display. For the first time, it also has an integrated battery and Bluetooth BLE wireless connectivity.
The Mini BLE is currently seeking crowdfunding on Kickstarter before mass production commences later this year. The device used in this review was a pre-release unit, although final hardware will be visually identical.
Passwords are stored on the device, independently from your computer. To gain access, you use a smartcard that’s protected with a 4-digit PIN. This is tri-factor authentication - without having access to your Mooltipass, your smartcard and your PIN, an attacker won’t be able to reach your passwords.
Smartcards can be cloned so you don’t need to worry about locking yourself out. Mooltipass databases can be copied between devices - including previous versions of the Mooltipass - so you can create backups in the event your data is lost. When you enter a PIN code incorrectly more than three times, the smartcard gets erased. Any “clones” of that card remain usable and your data stays intact on the Mooltipass itself.
The Mooltipass is device-agnostic. It literally “types” your passwords for you by pretending to be a USB - or Bluetooth - keyboard. You can use it with any operating system, whether a PC, phone or tablet.
Interactions with the device are by means of a single clickable scroll wheel located on its side. You rotate the wheel to move between menus and press it to make a selection. Holding the wheel will move you back to the previous menu.
On-device functionality is limited to manually selecting credentials and adjusting some basic settings. You can browse your usernames and passwords and have the Mooltipass type them into whatever you’re connected to - focus a text field, choose the credential and follow the prompts to type the username and/or password. When the device is disconnected and on battery power, you can view credentials in plain text on the screen.
App and extension
To add credentials, you’ll need to use the “Moolticute” app on Windows. There’s also a browser extension for Chrome, Firefox and Safari which communicates with Moolticute to enable webpage integration.
With the app and extension installed, password inputs on webpages will be detected automatically. When you submit a registration form, or enter a password on a site for the first time, you’ll be prompted to add the credential to your Mooltipass. A single click on the scroll wheel will save it.
On subsequent visits to the site, the Mooltipass will prompt you to use the stored credential. Click the wheel to have the login form populated for you. It’s little slower than a “regular” login while giving you all the added benefits of hardware password protection. Naturally, you do need to have your Mooltipass unlocked first (smartcard inserted, PIN entered), but this is generally a one-time procedure when you sit down at your PC.
A couple of helper settings make this even quicker, including the ability to program the Mooltipass to send special keystrokes at lock and unlock. Using settings in Moolticute, you can direct the Mooltipass to send Win+L when the smartcard is removed, thus locking the device and your Windows PC. Similarly, it’s possible to create a special credential called “_unlock_”, which gets typed after you enter your PIN - this can be used to automatically dismiss the Windows lockscreen and log you back into your PC.
Compared with the previous-generation Mooltipass Mini, the BLE is a significant step forwards in terms of sophistication and polish. The on-screen UI is now high-resolution, animated and far more extensive, including the ability to adjust basic settings without using Moolticute. The main menu is a horizontal strip of icons, replacing the old vertically scrolling text on the Mini. A status strip in the bottom right shows the current battery level and Bluetooth connectivity.
The headline change is inevitably the addition of Bluetooth. It’s setup by scrolling to the Bluetooth menu from the device’s homescreen. Here, you can add pairings, remove existing ones or disable Bluetooth altogether. Once paired to a device, you can use all the Mooltipass’ features wirelessly - no need to connect a USB cable when it’s time to type a password. The quoted theoretical battery life is currently 7 days with Bluetooth on and connected; this figure is yet to be finalised.
The Bluetooth functionality works smoothly and improves the device’s convenience. This is a common theme with the BLE - in other areas, new settings allow you to customise the balance between security and convenience, which wasn’t possible with the outgoing Mini. Such changes include the option of disabling the prompt before credentials are typed and the ability to enter “management mode” (used while editing credentials with Moolticute) without re-entering your PIN.
Like the Mini, you can securely store small files on the BLE. Files are added and retrieved via the Moolticute app. This capability is ideal for storing two-factor recovery codes, which are often presented as long lists of digits when generated by websites.
None of these features would be much use without comprehensive security protections. Mooltipass stores all passwords with AES-256 encryption, using an implementation which has been independently verified by external organisations. Brute-forcing an exported credentials database would take in excess of 50 years, according to the Mooltipass website. The project’s open-source nature enables anyone to review the code and assess its security.
On the hardware side, the device has a seamless aluminium body in the same style as the Mini. A brute force teardown of the Mini previously confirmed the case is “practically impossible” to open; any attempt would be immediately obvious to the owner, so the device is considered to be tamper-proof.
The Mooltipass Mini BLE is a welcome refinement of the Mooltipass concept. With added Bluetooth connectivity, a more useful on-device interface and some new convenience options, the BLE furthers Mooltipass’ aim of being “as simple as possible” for all users.
That’s not to say it’s perfect. Manually logging in via the menu system can be time-intensive, particularly when performed repeatedly. Scrolling the plastic wheel can also be physically tiring when used with a long list; questions about the plastic wheel’s long-term durability remain.
I’d like to see Mooltipass explore alternative input options, such as a touchscreen or even an integrated fingerprint sensor, for future devices, as the wheel system can be cumbersome for all but the quickest interactions. Nonetheless, you shouldn’t need to rely on it too often once you’ve got the app and browser extension installed. A few simple software tweaks could improve the situation too, such as adding an option to sort the on-device Login menu by “recently used” instead of alphabetically.
The Mooltipass has few competitors, with the physical password safe market still mostly targeting power users and security-conscious individuals. The BLE’s comprehensive ecosystem and device-agnostic nature means its generally as quick to use as built-in browser password safes, while providing a much greater level of security.
With 24 days to go, the BLE Kickstarter campaign has been backed by over 600 supporters and is 80% funded. The campaign target is 100,000 Swiss francs (CHF), roughly $110,000 or £83,500. Kickstarter backers who pledge more than 82 CHF ($87/£69) will receive a device as a reward.
Final retail pricing is expected to be around $109 (about £85), with shipments beginning in January 2021. Mooltipass promises to continue supporting the BLE with firmware updates beyond its release, so a good lifetime is expected.