Opinion on the Mooltipass?

[con-f-use]

Since it is sort of a "big thing" on Hackaday:

The Mooltipass on git...
...and on Hackaday

I'm pretty much indifferent. I don't get it. Care to get me excited?

btw. Moo is in.

[Maxlor]

Hm there's not too much information available. It all depends on the smart card implementation though, but I can't see details about that. With a secure smart card, this might actually work, if they don't fall through one of the many crypto traps.

Personally, I use LastPass with Yubikey-authentification. While I'm not happy with storing my passwords on a 3rd party server (LastPass claims they're stored in encrypted form, but I really have no way to check that,) I decided that the advantage of having secure and unique passwords for every service I use is bigger than the disadvantage of storing the passwords with them. The Yubikey acts as a security token for two factor authentication on computers I don't totally trust, like my work computer. The whole thing works pretty well for me. If I could actually run the server side on one of my own systems, it'd be perfect. Oh well.

[gxti]

It's a great idea, but I'm biased because I thought of it too. The downside is that it's an extra device to carry around and unlike the YubiKey it's a little too big to just clip onto your keychain. Most people are never going to care enough to pay that inconvenience, but I would.

The crypto needs to be audited. I don't see any source code yet but from the README it sounds like they might not have put much thought into the cipher block mode. I'm more than happy to contribute in this area.

I'm not thrilled with the choice of AVR, I would rather have seen something more powerful like a STM32. I really really hate fussing with 8 bit micros so I probably won't be contributing much, if any, code.

[nowlan]

Would be nice if my phone's NFC could act as token.

[nctnico]

Something like this?

Extra bonus point for the one who knows which movie this screenshot is from... 

[FrankBuss]

Extra bonus point for the one who knows which movie this screenshot is from... 

Who doesn't know The Fifth Element?

[con-f-use]

Who doesn't know The Fifth Element?

I wish I didn't!

[DomesticHacks]

Storing the final password on a device isn't that usefull.
Even when the encryption is strong enough the password still can be stolen for example by maleware, hacked websites (Adobe), keyloggers......
When you are already carry a device with you I think it should at least do some kind of Two-factor authentication.

At the moment I work on a open source Two-factor authentication device and already have a working prototype but it still needs some work.
I will publish it on my YouTube channel when I have someting to show. Especially the software for implementing this in a webapplication needs some tweaks.

[Marco]

Ideally my credentials shouldn't ever be on my PC at all, I just want to be able to authenticate directly to a website through something like Yubikey ... the ideal form factor for such a device would be a microsd card with a swipe sensor along it's external edge.

[free_electron]

Extra bonus point for the one who knows which movie this screenshot is from... 

Who doesn't know The Fifth Element?

what's this 'movie' thing i keep hearing about ? some new lab tool ?

[Marco]

Can someone explain to me why TOTP exists? It seems to offer no real advantages over a challenge/response protocol with PKI.

Is it just intentional subversive distraction to keep the correct approach from going mainstream?

[DomesticHacks]

The advantage is that the device doesn't need a connection to the pc, smartphone, freezer, toaser....
Especially for smartphones it's interesting.

[Marco]

Hmm, yeah I didn't think that through.