PocketStation As Two-factor Authentication

[DarkFader] sent in his build that implements two-factor authentication on a Sony PocketStation.

The PocketStation was a PS1 accessory intended to be a competitor to the Dreamcast VMU. [DarkFader] wrote an app for his PocketStation using a fabulous PocketStation emulator and uploaded it with the PS3 memory card adapter and MCRWwin.

The PocketStation app (available here) takes a key and hashes it with the current time to generate a six digit code. Combined with Google’s support for two-factor authentication, [DarkFader]‘s memory card provides access to his Google profile.

Two-factor authentication is also used in RSA SecurID key fobs that were compromised earlier this year. This lead to a huge number of companies being penetrated. For a single person, obscurity is a reasonable (but still ultimately futile) means of providing a little more security, but a PocketStation hack is still pretty cool.

Check out the video after the break that shows [DarkFader] using his PocketStation token.

[youtube=http://www.youtube.com/watch?v=3echEnfSEfE&w=470]

7 thoughts on “PocketStation As Two-factor Authentication

  1. But security through depth isn’t the same thing as security through obscurity though. The former uses two different types of authentication, reducing the chances of an attacker compromising both. The latter is just making a system undocumented or superficially complex in an attempt to slow down attacks.

  2. I don’t always have my phone on me so I wrote a Google Authenticator clone for .NET (Windows only, sorry, but if someone wants to take up the flag for MONO, go ahead, it’s all free to use)

    http://googleauthclone.codeplex.com/

    I also did a write up on it (an older version) on my blog, The Albuquerque Left Turn

    http://thealbuquerqueleftturn.blogspot.com/2011/06/google-does-two-factor-authentication.html

    …I need to update those screenshots…

  3. The compromise at RSA didn’t necessarily result in those other companies being attacked using data retrieved from the compromise at RSA. The other companies were discovered to exhibit similar phone-home behavior similar to systems that were breached at RSA, indicating that they were likely compromised by the same people as those who compromised RSA, but it says nothing about how they did it.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.