Security Experts:

Mooltipass Mini: Hardware Password Manager for Consumers, Enterprises

Mooltipass Mini

Mooltipass Mini is an open-source password manager device that makes it easy for consumers and enterprise users to access their online accounts and ensure that their credentials are safely stored.

While the industry is increasingly calling for a better alternative to passwords, this classic authentication method cannot be replaced overnight, leaving many users to look for secure ways to store the valuable information. Some people have turned to software-based password managers, which are recommended by many security experts, but others prefer hardware-based solutions that could be even more efficient.

After selling thousands of units of the full-size Mooltipass device, the Switzerland-based developer decided to create a mini version. The company said its existing customers asked for a cheaper device that could be carried around more easily. SecurityWeek has reviewed the new Mooltipass Mini.

The Mooltipass Mini is very easy to set up – you install an app and an add-on in the web browser, and connect the device to your computer via the USB port. When the browser add-on detects a login page, it prompts the user to save the entered credentials to the Mooltipass. The next time that website is visited, the user is prompted to connect the Mooltipass to the computer and the credentials are automatically inserted into the login page.

Mooltipass Mini

Since the product functions as a standard USB keyboard that automatically types the credentials, it does not require any special drivers and it can be easily used on Windows, Mac and Linux machines. It also works with smartphones and tablets that have a USB port.

Usernames and passwords are encrypted and stored on the device, with the encryption key stored on a special PIN-protected smartcard. Multiple cards can be used with each Mooltipass Mini and one card can be synchronized between multiple devices.

The app provided by the developer allows users to manage credentials, configure the device, update its firmware, and import or export credentials from a file or cloud storage. Users can store their own passwords or they can leverage the credentials manager to generate strong passwords.

The Mooltipass Mini device is operated via a clickable scroll wheel that has a “return to previous menu” function when long-pressed. The wheel allows users to enter the PIN, manually select the login credentials they want to enter on a website, and navigate through the device’s menu. For extra security, each action performed on the computer-installed app must be manually confirmed by the user from the Mooltipass Mini device by clicking the wheel.

Currently, the add-on is only available for Google Chrome, but the vendor has promised to release add-ons for Firefox and other browsers as well. Google intends to kill apps, but Mooltipass developers have started migrating to a cross-platform daemon that will allow them to expand support to all applications. The code is open source so anyone can contribute to the project.

The company says the Mooltipass Mini is very secure. The encryption key is stored on the smartcard using AES-256 encryption, and the card becomes permanently blocked if the PIN is entered incorrectly three times.

Mooltipass Mini

Furthermore, the credentials are transferred from the device to the computer only when logging in to a website or when the credentials manager app is used, but the information is only present in memory for the minimum amount of time.

The flaws that might plague the product can be fixed by the development team with a patch for the computer-installed software or a firmware update that can be easily deployed on the device. The bugs identified by SecurityWeek during its review of a Mooltipass Mini prototype were quickly fixed.

The Mooltipass has been used by both consumers and enterprises. The vendor says it regularly receives large orders from companies and it has already produced two batches of 50 Mooltipass Mini devices for some large enterprises.

Pricing for the full-size Mooltipass starts at $170 and it depends on the type of casing and the number of accessories. In comparison, the retail price of the Mooltipass Mini will be roughly $80-85, but it can now be acquired at early bird rates by pledging at least $50 through the Kickstarter campaign launched on Monday.

The 2014 Indiegogo campaign for the full-size Mooltipass raised over $126,000. The goal for the Mooltipass Mini campaign is 50,000 Swiss Franc (roughly $51,000), but more than half of the amount has already been raised in the first few days of the campaign. The money will be used to fund the manufacturing of a large batch of devices.

Related: One in Five Employees Would Sell Work Passwords

Related: LastPass Rushes to Patch Flaw That Exposed User Passwords

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.