Generating Two-Factor Authentication Codes With a Commodore 64

If you’ve used a corporate VPN or an online-banking system in the past fifteen years or so, chances are you’ve got a few of those little authenticator key fobs lying around, still displaying a new code every 30 seconds. Today such one-time codes are typically sent to you by text message or generated by a dedicated smartphone app, which is convenient but a bit boring. If you miss having a dedicated piece of hardware for your login codes, then we’ve got good news for you: [Cameron Kaiser] has managed to turn a Commodore SX-64 into a two-factor authenticator. Unlike a key fob that’s one gadget you’re not likely to lose, and any thief would probably need to spend quite some time figuring out how to operate it.

The SX-64, if you’re not familiar, is the portable version of the venerable Commodore 64. Weighing in at more than 10 kg it’s not quite a MacBook Air, but it does come with a built-in color monitor and 5.25″ floppy drive. The CPU is an 8-bit 6510 running at about 1 MHz, and as you might imagine it was not a trivial task to implement cryptographic routines on it. Working directly from the definitions in RFC 6238, [Cameron] first determined all the necessary bits: an SHA-1 hasher, an HMAC generator and several routines to manipulate dates and times.

The SHA-1 algorithm and HMAC functions might seem complex, but in the end they boil down to performing addition, subtraction and several bitwise logical functions on 32-bit numbers. Lots of steps if you can only work with eight bits at a time, but nothing that even a 6510 can’t do in a reasonable amount of time, especially when running carefully hand-crafted assembly code.

Working with dates and times turned out to be more complicated. The few real-time clock add-ons that were available for the Commodore 64 series all return the time directly in human-readable format: great for everyday use but not so great for calculations that require Unix time. Converting between the two involves lots of multiplication and division, which takes forever if you don’t have a hardware multiplier. [Cameron]’s blog post is full of detail on how to optimize calculations on constrained hardware, and is an interesting read even if you’re working with modern processors.

The end result of the exercise looks almost exactly like a typical authentication app on your smartphone, including that annoying countdown bar. If you’re looking for a slightly more compact solution, you can do the same thing on an ESP32. Need a refresher on two-factor authentication techniques? We’ve got you covered.