Generating Two-Factor Authentication Codes With A Commodore 64

A Commodore SX-64 showing a six-digit code and a countdown timer

If you’ve used a corporate VPN or an online-banking system in the past fifteen years or so, chances are you’ve got a few of those little authenticator key fobs lying around, still displaying a new code every 30 seconds. Today such one-time codes are typically sent to you by text message or generated by a dedicated smartphone app, which is convenient but a bit boring. If you miss having a dedicated piece of hardware for your login codes, then we’ve got good news for you: [Cameron Kaiser] has managed to turn a Commodore SX-64 into a two-factor authenticator. Unlike a key fob that’s one gadget you’re not likely to lose, and any thief would probably need to spend quite some time figuring out how to operate it.

The SX-64, if you’re not familiar, is the portable version of the venerable Commodore 64. Weighing in at more than 10 kg it’s not quite a MacBook Air, but it does come with a built-in color monitor and 5.25″ floppy drive. The CPU is an 8-bit 6510 running at about 1 MHz, and as you might imagine it was not a trivial task to implement cryptographic routines on it. Working directly from the definitions in RFC 6238, [Cameron] first determined all the necessary bits: an SHA-1 hasher, an HMAC generator and several routines to manipulate dates and times.

The SHA-1 algorithm and HMAC functions might seem complex, but in the end they boil down to performing addition, subtraction and several bitwise logical functions on 32-bit numbers. Lots of steps if you can only work with eight bits at a time, but nothing that even a 6510 can’t do in a reasonable amount of time, especially when running carefully hand-crafted assembly code.

Working with dates and times turned out to be more complicated. The few real-time clock add-ons that were available for the Commodore 64 series all return the time directly in human-readable format: great for everyday use but not so great for calculations that require Unix time. Converting between the two involves lots of multiplication and division, which takes forever if you don’t have a hardware multiplier. [Cameron]’s blog post is full of detail on how to optimize calculations on constrained hardware, and is an interesting read even if you’re working with modern processors.

The end result of the exercise looks almost exactly like a typical authentication app on your smartphone, including that annoying countdown bar. If you’re looking for a slightly more compact solution, you can do the same thing on an ESP32. Need a refresher on two-factor authentication techniques? We’ve got you covered.

15 thoughts on “Generating Two-Factor Authentication Codes With A Commodore 64

  1. Couldn’t the cart slot be used to plug in a 32-bit processor that generates a number when needed? Can be sent back in 4 bytes then sit and wait until requested

    I still have 3 old authenticator fobs for World of Warcraft games. They still work but the battery’s probably near end of usable life. I’ve long switched to mobile authenticator on my phone.

      1. I am a 32 bit SLAVE to the old 8 bit New World Order. They have stuck me into an expansion port and I have to do what I am told, I have no choice. But that does not make me a willing FOLLOWER. After all, slaves have to do what they are told and not act on their own will independently, even if they are more powerful physically then their master.

        Do worse, go PC.

          1. Yes, fairly new here, but, acquainted with the PC narrative and the “do better” comment the other person left for the poster. FWIW: I usually think of older drives as 0 and 1, but, I am a binary sort of person.

  2. Very nice PoC :) Coolm. Yet it has a weakness.. Once I built a teletext system on C64, which after some time.. the time drifted… a lot. Then I found out the internal clock is based on the power source frequency, which in some areas is not so stable and precise as I expected and required. So without some more precise real-time-clock this wouldn’t be very usable in long run

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.