PocketStation as two-factor authentication

[DarkFader] sent in his build that implements two-factor authentication on a Sony PocketStation.

The PocketStation was a PS1 accessory intended to be a competitor to the Dreamcast VMU. [DarkFader] wrote an app for his PocketStation using a fabulous PocketStation emulator and uploaded it with the PS3 memory card adapter and MCRWwin.

The PocketStation app (available here) takes a key and hashes it with the current time to generate a six digit code. Combined with Google’s support for two-factor authentication, [DarkFader]‘s memory card provides access to his Google profile.

Two-factor authentication is also used in RSA SecurID key fobs that were compromised earlier this year. This lead to a huge number of companies being penetrated. For a single person, obscurity is a reasonable (but still ultimately futile) means of providing a little more security, but a PocketStation hack is still pretty cool.

Check out the video after the break that shows [DarkFader] using his PocketStation token.


  1. Ptolom says:

    But security through depth isn’t the same thing as security through obscurity though. The former uses two different types of authentication, reducing the chances of an attacker compromising both. The latter is just making a system undocumented or superficially complex in an attempt to slow down attacks.

  2. SparkDustJoe says:

    I don’t always have my phone on me so I wrote a Google Authenticator clone for .NET (Windows only, sorry, but if someone wants to take up the flag for MONO, go ahead, it’s all free to use)


    I also did a write up on it (an older version) on my blog, The Albuquerque Left Turn


    …I need to update those screenshots…

  3. Anonymous says:

    The compromise at RSA didn’t necessarily result in those other companies being attacked using data retrieved from the compromise at RSA. The other companies were discovered to exhibit similar phone-home behavior similar to systems that were breached at RSA, indicating that they were likely compromised by the same people as those who compromised RSA, but it says nothing about how they did it.

  4. GCL says:

    The site he talks about, (not his) needs to be translated before it makes sense. Also the gadget only exists in Japan.

  5. Josh Malone says:

    Cool! I still have a stash of VMUs… wonder if this could be ported.

  6. Raisin says:

    Haha, I could see your password! :)

  7. Flavor says:

    Whoa, DarkFader! Nice to see you on Hackaday, ol’ pal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 96,312 other followers