Cameron Kaiser's Commodore SX-64 Has an Unusual Job: Delivering TOTP Two-Factor Authentication Codes

Developer and vintage computing enthusiast Cameron Kaiser has taken an unusual approach to the problem of two-factor authentication — by programming a time-based one-time password (TOTP) generator for the Commodore 64 family of eight-bit microcomputers.

"Multi-factor authentication is ripe for disruption. SMS 2FA is inherently defective. Phone authenticators get stolen. Security tokens get lost. But just try misplacing a Commodore SX-64," Kaiser writes of the project, referring to Commodore's chunky luggable Commodore 64 spin-off from 1984 with its detachable keyboard and built-in CRT monitor. "And any thief who tries to grab it and run gets a free hernia truss from the prison infirmary."

Kaiser's project takes this machine, or any other device capable of running Commodore 64 programs, and turns it into what could be the world's oldest and bulkiest two-factor authentication token. "Yes, you really can use your Commodore 64 for multi-factor authentication to generate TOTP codes," he explains.

"Keys can be entered manually in hexadecimal or loaded as binary files from disk (you specify the file, offset and length), and it can either use the real-time clock in CMD FD and HD devices or with devices implementing a compatible T-RA command or you can just manually enter the time for demonstration."

In Kaiser's implementation, keys are loaded from color-coded 5.25" floppy disks and the corresponding password printed to screen — along with a countdown bar showing how long the password remains valid until the next one is generated. Based on the RFC 6238 standard for time-based one-time password authentication, the program implements an SHA-1 hash algorithm, an HMAC generator, time-zone converter, and value extraction — all on an eight-bit microprocessor running at 1MHz or less and with 64kB of physical RAM.

"Some of you are asking already if this idea is totally nuts or just mostly," Kaiser notes. "But consider: the C64 has a very small attack surface and it can be made completely airgapped. Keys can be entered manually, or stored as binary files which you have to know the file, offset and length to correctly use (unless you make the entire file the key). Heck, you have to even know what disk (or cassette tape?) it's on. Plus, anything fun is always a satisfactory justification!"

A deep-dive into the technology behind the project is available on Kaiser's vintage computing blog, while the project source code and binary files are available on GitHub under the permissive BSD 3-clause license.