Mooltipass BLE Password Authenticator Hands-On Review
June 30, 2022
Today we’re required to use a password for everything from Google, to PlayStation, to Costco, and any number of other websites and services in-between. Using one password for everything is a serious vulnerability, and keeping multiple passwords written down on a notecard, or as a plain text file on your computer are both problematic. Even dedicated online password keepers can be hacked.
So, should we simply give up on password security? Accept that hackers can own your information with enough time and effort? An interesting alternative was proposed way back in 2013, an offline password manager that eventually became the Mooltipass (as in Leeloo Dallas Mooltipass). This shrank into the Mooltipass Mini several years later, and now is available as the Mooltipass Mini BLE, which we purchased for this review.
The device uses an encrypted on-Mooltipass database of passwords that it sends to your device on request. An authentication card must be inserted, and even with this you need to enter a pin, making hacking very hard. Card and Mooltipass data is easy to backup, and more info on the technology and its abilities can be found on the device's website.
This review will focus on my hands-on impressions of the device. I’m more tech-savvy than the average person, but definitely not a security expert. My primary system is a MacOS computer with Firefox as my browser.
Unboxing this device, the aluminum body, ordered in dark grey, is beautiful, with a screen that’s crisp and easily viewable at an angle. Its USB-C interface (and the included A-to-C cable) is appreciated, facilitating easy connection to a computer. There’s also an included flexible cover to help keep things pristine, and it comes with two smart cards, one of which can be used as a backup. I also ordered two extra, making it four cards total.
BLE connection was straightforward, and once set up it works seamlessly whether plugged in to my computer, either via USB or wirelessly. I also was able to use it successfully with my Android smartphone. Setting a PIN with the scroll wheel was fairly easy, and its hexadecimal format is a nice touch security-wise. One might also see this as an indication that it’s meant for somewhat tech-savvy users.
A Bit of Yak Shaving
While the Mooltipass will work with any computing device as a virtual keyboard, for seamless integration you’ll want to install a browser extension, plus the Moolticute app as outlined in the user manual found here. You’ll also want to turn off your browser’s password entry function to allow the Mooltipass to take care of the job itself.
With this computer software installed, the device can enter passwords without prompting, which I found a bit troublesome as it wants to keep logging in. It can also be set up to enter passwords upon a button press, or it can even respond by sensing when you knock two time on the table near the device. This knock detection feature is really excellent, and what I eventually settled on. However, to get things working properly I had to update the firmware from version 5 to 8, and play around with the sensitivity.
You’ll also need to figure out how to backup the password database (stored in the device itself), make a copy of your smart card, and go through your existing passwords to get them on the device. There is a way to upload credentials automatically in the proper format, but going through things manually is a good way to examine you credentials to ensure they’re up to snuff.
I had a bunch of passwords stored on my browser (Firefox), which can be easily viewed once in your system by navigating to about:logins. Admittedly, I’d never looked into this, and it was a bit of a rude awakening to see things out in the open like that. It’s definitely something to consider if you use a work computer that’s nominally “yours,” or if you need to share your computer for whatever reason.
The manual also notes that you’ll want to do battery maintenance when you first receive your device, which takes around 5 hours. The manual lists battery live as 2-7 days, and based on my limited experimentation I’d peg it at the lower end. This is enough for a short trip, but not something you’d want to depend on day after day like a keyboard or mouse.
An Excellent Device?
At the end of the day, when things work, the Mooltipass is really amazing. Navigate to a website, knock when prompted, and it logs you in. When you register a new website or make changes, it asks if you want to update the database. While some sites initially work better than others, given how any logins exist on the web, plus the many supported browser/os combinations, it’s pretty impressive. The browser app has the functionality to set up custom credentials fields, and can report incompatibilities.
You can also plug the Mooltipass in to other devices that don’t have the app installed to have it type in stored usernames/passwords as a keyboard. Finally, it can display logins onscreen for manual input, sans a wired or BLE connection. This is less convenient, but it does make a good backup method for you, or perhaps even to share with others in some situations.
On the negative side, I find it asking me to contact support #002 more often than I’d like before requiring a reset. Additionally, when your connected computer logs out, it logs out as well. Since I’m using my password to log in directly to the computer, not the Mooltipass, this is necessary for security reasons, but can be a bit cumbersome.
Should You Get a Mooltipass BLE?
The cost of the Mooltipass BLE, both in terms of money ($125 + shipping), and time (potentially several hours to get things set up really well) is significant. For me, this included going over passwords to ensure they were in good shape, so it was, at least in part, a useful exercise. You’ll also have to deal with needing another device to have your passwords with you, and the occasional hardware and/or software hiccup.
All that being said, if you’re serious about the security of your passwords, and are comfortable with a period of adjustment, the Mooltipass appears to be a very good solution. In fact, while this is the only device of its kind that I’ve tried, based on my familiarity with other technologies, I haven’t seen anything that can beat it feature-for-feature. Now that I have things set up, I really do enjoy knocking on the table to tell it to log me into a website. It’s easy to take security for granted, but a bit of hassle today is much better than what the possible consequences of getting your account(s) hacked.
Jeremy Cook is a freelance tech journalist and engineering consultant with over 10 years of factory automation experience. An avid maker and experimenter, you can follow him on Twitter, or see his electromechanical exploits on the Jeremy Cook YouTube Channel!