This website uses cookies. For more information, please visit the Privacy and Cookies Policy . Click 'I agree' to acknowledge and hide this message.

Open source allows our product to benefit from many engineers' expertise. This results in a verified security implementation.

Multiple users can share one Mooltipass. Their encrypted database can safely be exported on the cloud or on their computer.

A secure smartcard is used to decrypt all your credentials. 3 erroneous tries will permanently lock it.

The Mooltipass can be used with any USB enabled device, for any application . Simply select the credential you need sent on the Mooltipass screen.

The Mooltipass will prompt you for confirmation whenever you need to login on any website.

All your credentials are safely stored in a secure device, which doesn't rely on your computer security.

The Mooltipass is designed to be as simple as possible to use for users of all backgrounds and ages:

Integration with websites is done via our Google Chrome, Firefox and Safari plugins. We also provide you with an easy-to-use application to manage, import and export your credentials stored inside the Mooltipass.

The Mooltipass emulates a standard USB keyboard, and can therefore type your passwords for you on Windows, Linux, Mac and even most Apple and Android devices (through the USB On-The-Go port). It doesn't need any special drivers to function.

The Mooltipass offers the following advantages over software-based solutions:

The Mooltipass has an internal flash in which the user encrypted credentials are stored, while a PIN-locked smartcard contains the AES-256bits key required for their decryption. Like any chip and pin card, 3 false tries will permanently disable the Mooltipass card. Credentials are sent over HID, any password accessing operation needs to be physically approved by the user on the device.

Do you want to contribute and join a team of security minded individuals? Send us an email !

Just like Linux-based operating systems, open source allows our product to benefit from many engineers' expertise. This results in better code quality, more trust from our final users and verified security implementation. We publish everything we do to provide you with the best security device.

Our team believes that great security can only be achieved through complete transparency. That's why we have been publishing everything that goes into making the Mooltipass on our GitHub repository from the project's start.

Frequently Asked Questions FAQ

Since the project's start we have received many questions about our project :

Device Security - If it is open source, does it mean it is less secure? Not at all. Having our code open source allows everyone to check our security implementation, which actually leads to a better code quality and more trust from our final users.

Device Security - Are you sure about your encryption implementation? The AES-256 used in the Mooltipass has been compared against standard Nessie test vectors for correctness. Moreover, our security chain has been checked several times by qualified individuals and companies.

Device Security - How secure is the Mooltipass, really? We are using the most secure encryption algorithms and have designed our case to make it tamper evident. Our solution is therefore perfectly suited for individuals wanting to improve their credentials' safety.

Security - If I can export my encrypted credentials, does this mean someone could crack them? We are using AES-256 encryption in CTR mode, brute-forcing the encrypted credentials would take more than fifty years.

Security - If I only need to remember a PIN code, does it mean the Mooltipass is not safe? Not at all, as the Mooltipass system is exactly like a chip & pin bank card: 3 false tries will permanently block the smart card. Access to the AES-256 encryption key will then be blocked and credential decryption made impossible.

Security Practices - Why do I need different passwords for different websites? Websites are compromised on a daily basis. If you are using the same password for different websites, an attacker could use one stolen password on all of them.

Security Practices - Is your solution better than a piece of paper? A piece of paper contains passwords that can easily be read when you are not paying attention to it. The Mooltipass stores encrypted passwords that can only be read when providing your PIN code.

Device Use - Can a smartcard be used with multiple Mooltipass devices? You have the option to synchronize your credentials between multiple devices. This allows you to have one Mooltipass at work and one at home.

Device Use - Can it be used with an android phone? Yes, with a micro USB to micro USB male/male cable such as this one

Device Use - Can it be used with an iPhone? Yes, with a USB 2.0 to lightning female/male cable.

Device Design - Why are you using both a smart card and a main Mooltipass device? There are many reasons, the main one being that it is much easier to carry a smart card around than any other object. This smart card is a secure element that contains your credentials' encryption key; it is cheap and may be cloned without compromising the system security.

Device Design - How are the credentials sent to the computer? The Mooltipass is enumerated as a composite HID keyboard / HID proprietary device. The credentials are sent over the HID proprietary channel when using the browser plugin and over the keyboard channel when using the Mooltipass through its touch interface.

Device Design - Where do you source your components? All the integrated circuits (ICs) are directly purchased from their official manufacturers.

Device Design - What if I lose my Mooltipass device? Your encrypted credentials can be exported to either your computer or the Mooltipass official website. If you lose your device, you may purchase another one and restore your credentials or buy a simple inexpensive smartcard reader to extract your encryption key and decrypt your credential database.

Device Design - Why do you need an OLED screen? An offline password keeper needs to provide a way to prevent impersonation. The user has to check that the website/service for which they approve the credential request is the same as the website/service they are using, as a malicious program could emit forged requests. Moreover, having a display allows the user to operate the Mooltipass without the browser plugin, by using the dedicated touch interface.