This portable device is like Post-It notes on a monitor, but much more secure.
In the wake of the latest string of security attacks, the necessity for two-factor authentication is clearer than ever before. And, while log-ins and passwords are critical elements required to access the sites and services we use on a daily basis, remembering complex credentials can be quite difficult. In an effort to minimize the number of ways a password could be compromised, the Hackaday community recently devised an offline password keeper aptly named Mooltipass.
Having successfully garnered $109,112 on Indiegogo, the portable device is described by its 30-plus creators as “a physical encrypted password keeper that remembers your credentials so you don’t have to.” Meanwhile, a personal PIN-locked smart card is equipped for each user to gain access to stored credentials. Upon visiting a website, the pocket-sized Mooltipass will ask for confirmation to enter one’s unique credentials when log-in is required.
Its team — which is made up of Makers spanning across the entire globe — selected an ATmega32U4 MCU to power the offline password keeper, which also boasts an easy-to-read OLED screen, a read-protected smart card (AT88SC102) and Flash memory to store encrypted passwords.
“The ATmega32U4 is the same microcontroller [found] in the Arduino Leonardo, allowing us to use the numerous libraries that have been developed for it. In the final schematics, we’ll add an expansion connector so users may connect additional peripherals (we may switch to a FOUR4 layers PCB at this point),” project manager Mathieu Stephan explained in an earlier post. “The microcontroller’s USB lines are protected from ESD by the IP4234CZ6. For encrypted password storage, we found the cheap 1Mbit AT45DB011D FLASH which also has 2/4/16Mbits pin compatible versions. If our beta testers find that 1Mbit is not enough, upgrading the Mooltipass would be easy.”
As noted above, Atmel’s AT88SC102 was chosen to be the secure smart card, which offers 1024bits read/write protected EEPROM. In terms of the display, the team says it has temporarily for the OLED screen, although the creation of another mooltipass version with an IPS LCD is more than likely. Given that the device is intended for many different users, the normal-sized OLED screen provides great readability, and therefore, better user experience.
“The Mooltipass emulates a standard USB keyboard, and can therefore type your passwords for you on Windows, Linux, Mac and even most Apple and Android devices (through the USB On-The-Go port). It doesn’t need any special drivers to function. Integration with websites is done via a Google Chrome plugin and we are working to implement plugins for other major browsers. While all password recall functionality is done through the Mooltipass device, credential management is done through a dedicated application.”
As its page highlights, how the Mooltipass works is fairly simple:
- Plug the device into a computer/tablet/phone. (No driver is required.)
- Insert smartcard, unlock it with PIN. (Without the PIN, the card is useless.)
- Visit a website that requires a log-in. (If using its browser plugin, the Mooltipass asks your permission to send the stored credentials, or asks a user to save/generate new ones if logging in for the first time.)
- If not using the browser plugin or are logging in on something other than a web browser, a user can tell the Mooltipass to send the correct log-in and password. (It will typed in, just like a keyboard.)
The Mooltipass is enumerated as a composite HID keyboard/proprietary device. Credentials are sent over the HID proprietary channel when using the browser plug-in and over the keyboard channel when using the Mooltipass through its AT42QT2120 based touch interface.
Each Mooltipass is shipped with two smart cards, which allow a user to make a duplicate of their primary card for backup. Similarly, you can securely backup the credentials stored in your Mooltipass on your computer to protect them from loss.
In addition, the team says that anyone can easily convert their Mooltipass into an Arduino platform by using a knife or similar utensil. The device boasts Arduino headers that will enable any ‘duino shield to be connected to it. “Hence, we made the Mooltipass as small as possible while keeping its great features… Projects are only limited by your imagination, when combining our on-board peripherals with standard Arduino shields which can be purchased on the Internet.”
The project is open-source with its code readily accessible on Github, surely giving a boost to its security claims. After all, its team believes that “great security can only be achieved through complete transparency.”
Interested in learning more about Mooltipass? You can head over to its official crowdfunding page, as well as can find a detailed breakdown of the device here. The password keeper is currently being prepared for production which is slated to begin in March 2015.
“A few days ago we had the awesome surprise to receive 250 ATmega32U4 MCUs together with 250 AT42QT2120 touch sensing ICs. We would therefore like to thank the awesome Atmel team in Norway who wanted to support our completely transparent and open-source device! We are extremely grateful,” Mathieu recently shared.