It's just a password manager (although, with some firmware and client tweaks, it could be a signing device), and only $45.
I've never heard on moolti-pass before but it looks legit! The whole knocking on wood thing is weird, but they seem legit about being open source, as opposed to being like most companies that claim to be open source because one component is open source. I saw mooltipass has published kicad files.
"Just a password manager"... LOL. Password ENHANCER! Sounds fancier... I've been trying to emulate something like this with a 2D barcode scanner and physically pre-printed QR codes... In my mind I see little icons/emojis in the corner/center of each QR code and it's a book format, so only I can know the correct sequence of QR codes to "generate" the super secret squirrel mega-password...
I do remember the knock thing... Yeah, weird like politics. The card thingy for multiple users to share the same EXPENSIVE device was a nod to the shareability of tech. I agree with your simplicity approach.
Since you're a security researcher, do you have an opinion on Foundation Devices' Passport bitcoin airgapped signer? I'm excited about bitcoin but want to start with a good tech foundation, so the name seems baity or good marketing... I don't know how to verify anything...
I've only seen it in passing, not looked at the hardware or software or tried to verify any of their claims. But here are my quick thoughts:
- Good design to not have any wireless hardware
- Open source hardware allows people to verify that fact
- CPU is actually the same make as is used in the Signet, but theirs looks much more complex model (based on the picture)
- Form factor is pretty cool, but if customs asks you to turn on your "phone" to prove it works, things might get awkward
The first thing I'd want to know is what secrets are stored on the device, if any. Since it has a secure element, I'm guessing the secret is on the device. The next question is about the ability to make a backup, and how is the secret protected?
I prefer simplicity in design to banking on a secure element that I can't fully audit.
I've poked around in the codebase for SeedSigner and I can say that it's legit. It doesn't store your secrets at all. You enter it each time you boot. Requires you securely store your seed phrase, but that's not a problem for me. 😎
Thank you!
