Remembering passwords is one of those things which one just cannot seem to escape. At the very least, we all need to remember a single password: namely the one for unlocking a password manager. These password managers come in a wide variety of forms and shapes, from software programs to little devices which one carries with them. The Mooltipass Mini BLE falls into the latter category: it is small enough to comfortably fit in a hand or pocket, yet capable of remembering all of your passwords.
Heading into its crowdfunding campaign, the Mooltipass Mini BLE is an evolution of the Mooltipass Mini device, which acts as a USB keyboard by default, entering log-in credentials for you. With the required browser extension installed, this process can also be automated when browsing to a known website. Any new credentials can also be saved automatically this way.
Where the Mooltipass Mini BLE differs from the original is in that it also adds a Bluetooth (BLE) mode, enabling it to be used easily with any BLE-capable device, including laptops and smartphones, without having to dig around for a USB cable and/or OTG adapter.
I have already been using the original Mooltipass Mini for a while, and the Mooltipass team was kind enough to send me a prototype Mooltipass Mini BLE for evaluation and comparison. Let’s take a look.
Hardware Password Manager Basics
Sometimes it feels as if the need to remember five dozen passwords is a recent thing, but it’s been pretty much a requirement ever since someone came up with the concept of ‘user accounts’ on computer systems. However, dealing with the passwords for one’s computer OS, two dozen online stores, banking and social media accounts does take a bit more wrangling. Especially if one does it the Right Way® and uses a different password for each login.
While passwords scribbled on a Post-It note are guaranteed secure so long as nobody sneaks a peek at them, this method is awkward and a bit of paper is easily lost. Software-based password managers are a definite step up, and is what I have been mostly using the past years. They use a master key to encrypt a database which contains the credentials as well as other sensitive information. One can safely carry this encrypted database file around by putting it on an online drive or USB stick.
A hardware password manager like the Mooltipass Mini (BLE) is similar to that concept, only instead of an encrypted database file, the Mooltipass device is essentially the database in physical form. The credentials are stored locally, within a tamper-proof storage device. To unlock the device, you needs two things:
- Something you have (smartcard with AES key).
- Something you know (PIN code).
This two-factor authentication ensures that if someone runs off with your smartcard, they still cannot unlock your Mooltipass device. Also interesting with this approach is that multiple people can share the same Mooltipass device, only seeing the credentials which their personal smartcard and PIN code unlock. This is very different from another recent hardware password manager called the BeamU, which unlocks with only a finger print (‘something you are’), theoretically allowing anyone who lifts your finger print to gain access to all the credentials on your BeamU card.
That said, the Mooltipass Mini BLE still allows you to use it as a Web Authentication (FIDO2) device, with the lack of biometrics a wise choice, as I covered in a recent article on FIDO2. This is the same hardware token functionality we find in the SoloKey, but combines password keeping and FIDO2 in a single device. So far the Mooltipass Mini BLE is looking good.
Enter Low-Energy Dentistry
Bluetooth Low Energy (BLE) has become a favorite parallel protocol next to the regular Bluetooth protocol. It enables a similar communication range to regular Bluetooth, while using significantly less power. This is a good thing for the Mooltipass Mini BLE, as unlike its predecessor it now has to live off a battery. By default BLE is disabled, but can be enabled in the settings of the device.
With BLE enabled, a single battery charge should last approximately a month, depending on how often the screen is turned on. As this happens every time one has to confirm adding new credentials or manually sends credentials to a log-in field.
The USB port has moved from Micro-USB to USB-C, but otherwise the USB-based functionality remains unchanged. In the Mooltipass Mini BLE the cable serves as both USB-based communication and charging the internal battery.
With the accompanying software installed (known as moolticute with sources available on GutHub), one can tweak various settings for the device such as the keyboard layout to use for when it is emulating a USB or BLE keyboard. Accessing the list of credentials is also done through the application, allowing for the manual adding and maintaining of credentials. With those in order, one then merely has to install either a browser extension, or connect the Mooltipass Mini BLE via USB or BLE (or both) and pick the credentials to send to the connected device. If both BLE and USB are currently connected, the device will use its display to ask the user to choose between the two connections.
When trying this on a Windows 10 laptop via BLE, it managed to successfully fill in the log-in fields at sites like Github using the ‘simulated BLE keyboard’ functionality. No special software required, which makes it very useful for occasions when using a software-based password manager isn’t going to fly, like using a public or work computer.
My Beta Experience
After having been sent an early version of the Mooltipass Mini BLE device, I was informed that a second device was also on its way to me, on account of the first having a presumed firmware bug. Although I did not encounter this bug, it turned out that having a second device was very useful, due to the nature of Beta-level hardware. At some point, the display of the first device stopped turning on, despite the rest of the unit still working. This was confirmed as a known issue with early units.
The second device has not given me any major issues so far. I was able to use it in a similar way to the Mooltipass Mini, before exploring the new features. In terms of feel and looks, both devices are quite similar. They’re still encased in a similar metal shell, the clicky scroll wheel on the right-hand side is very similar and the display is the familiar monochrome look, albeit a more high-resolution OLED screen than on the original.
When I received the first device, I could pop in one of the provided smartcards and creating a fresh key (‘user’). Also useful is the ability to clone a smartcard via a menu option. This way you have a backup of the key in case you somehow lose the original smartcard. In the Moolticute application you are also constantly reminded to make a backup of the credential database. This all should make it pretty hard to ever get locked out of one’s accounts as the database is never confined to a single device.
Seeing the login fields on various sites while on my laptop get filled in almost as if by magic was also an interesting experience. The only issues which I encountered had to do with the Mini BLE’s USB interface currently not dealing well with my usual USB hub, and the BLE HID on my Xiaomi Mi 5 smartphone did not work. USB hubs are no problem on the original Mini, so that appears to be a temporary glitch, with the Mooltipass team already aware of the issue.
The Mooltipass Mini BLE seems to be pretty much the hardware password manager that I hadn’t really realized I needed. I’m not really into Web Authentication, nor do I trust biometrics for securing my data. That’s where the Mooltipass Mini BLE offers non-biometric two-factor authentication to unlock it, even allowing for different categories of encrypted data (unlocked with different smartcard and PIN). Having FIDO2 support is a bonus in case I ever want to use it and need a token.
Like the original Mini, the Mini BLE is an open source project, for both the hardware and software. Whether this is an important point to you or not is mostly a personal choice. For me, it does add a certain level of confidence in the sense that I can look at the schematics and source code whenever I feel like it.
Since I got early prototype hardware to use, it seems unfair to put too much weight on some remaining hardware and firmware issues. I do however hope that these last issues get resolved before the final hardware is ready. Once that happens I might be tempted to retire the Mooltipass Mini for its BLE successor.