Introduction: The Temptation in the Junk Drawer
We've all been there. You're cleaning out that drawer full of old cables, forgotten adapters, and tech relics when you find it: a small hardware authenticator. Maybe it's a YubiKey from a previous job, a Google Titan key you stopped using, or some proprietary token from a bank you no longer bank with. Your first thought? "Cool! Can I hack this thing to use for my own logins?"
That exact question sparked a massive discussion on Reddit's r/hacking community recently, with over a thousand upvotes and more than a hundred comments from security enthusiasts, professionals, and curious tinkerers. The consensus wasn't simple—it was a fascinating mix of "technically possible," "ethically questionable," and "probably not worth the trouble." But the devil, as they say, is in the details. And in 2026, with authentication methods evolving rapidly, the answer is more nuanced than ever.
In this guide, we'll explore what you can actually do with that old authenticator, the real security implications, and whether you should even try. We'll break down the technical barriers, the legal and ethical considerations, and give you practical alternatives that won't potentially compromise your security or get you in trouble.
What Exactly Are You Holding? Identifying Your Authenticator
First things first—you need to know what you've got. Not all authenticators are created equal, and their hackability varies dramatically. Generally, you're looking at one of three types.
The most common find is a FIDO U2F/FIDO2 security key. Think YubiKey, Google Titan, or Thetis. These are the little USB/NFC dongles that work with services like Google, GitHub, and password managers. They store cryptographic private keys that never leave the device. The good news? They're standardized. The bad news? Those keys are typically burned into secure hardware at the factory and are extremely difficult to extract or modify.
Then there are older OATH-TOTP hardware tokens. These are the ones that display a rotating 6-digit code every 30 seconds. Banks loved these in the 2010s. Companies like RSA and Vasco made millions of them. Internally, they have a secret seed value and a clock. If you can extract that seed, you could theoretically add it to an app like Authy or Google Authenticator. This is where the hacking discussion gets interesting.
Finally, you might have a proprietary or smart card-based token. These are often tied to specific corporate or government systems. They might use PKI (Public Key Infrastructure) and require special middleware. These are usually the toughest nuts to crack and the least useful for personal repurposing.
The Technical Reality: Can You Actually "Hack" It?
Let's cut to the chase. The Reddit thread was filled with people asking, "But can I actually put my own seeds on this thing?" The short answer is: it depends, but usually no. And when you can, it's not straightforward.
Most modern hardware authenticators, especially FIDO2 keys, are designed with tamper-resistant secure elements. This isn't just regular flash memory. We're talking about chips that will literally self-destruct (or at least wipe their contents) if you try to physically probe them. Companies like Yubico and Google design these devices to be endpoints, not general-purpose storage. You can't just plug one in and drag a file onto it.
For older TOTP tokens, there's sometimes more hope. Some very old models stored their seed in regular EEPROM memory. In theory, with the right tools—a chip programmer, a SOIC clip, and some patience—you could read the memory, extract the seed, and maybe even write a new one. I've seen forum posts from a decade ago where people did this with certain RSA SecurID tokens. But here's the catch: in 2026, the tools and knowledge required are niche. You're looking at a weekend project that requires soldering skills and a willingness to possibly brick a device.
One Redditor put it perfectly: "You're asking if you can turn a dedicated calculator into a general-purpose computer. You might be able to if it's poorly designed, but why would you?" The effort-to-reward ratio is almost always skewed against you.
The Security Risks: Why It's Probably a Bad Idea
Let's say you do manage to extract a seed or modify a device. What have you actually gained? And more importantly, what have you potentially lost?
First, consider trust. The entire point of a hardware authenticator is that it's a trusted, isolated device. If you start modifying its firmware or contents, you break that chain of trust. How do you know your modifications didn't introduce a backdoor? How do you know the device's random number generator is still secure? You don't. You've turned a security device into a black box of your own making.
Second, there's the risk of bricking. These aren't $10 gadgets. A new YubiKey 5 Series costs around $50-70. If you mess up a firmware flash or corrupt the secure element, you now have a very expensive paperweight. And no, manufacturers won't help you—voiding the tamper-resistant seals definitely voids your warranty.
Finally, think about future compatibility. Authentication standards evolve. FIDO2 is the present and future. An old TOTP token you hacked might work today, but will it work with new services in 2027? Probably not. You're investing time into technology that's already on its way out.
The Legal and Ethical Gray Area
This is where the conversation gets sticky. That authenticator you found—who does it belong to? If it's from a former employer, it's almost certainly their property. Even if they told you to "just keep it," the cryptographic materials inside might still be tied to their systems. Using or dissecting it could violate corporate policies or even laws regarding protected systems.
Many hardware tokens have end-user license agreements (EULAs) that explicitly forbid reverse engineering. In the United States, the Digital Millennium Copyright Act (DMCA) has anti-circumvention provisions that could theoretically apply, though there are exemptions for security research. The legal landscape isn't clear-cut, and you probably don't want to be the test case.
Ethically, the hacking community generally operates on a principle of responsible disclosure and learning. Taking apart an old token to understand how it works? That's education. Trying to extract a seed to use for a live account you shouldn't have access to? That's crossing a line. The Reddit thread reflected this nuance—most commenters were excited about the technical challenge but cautious about actual misuse.
Practical, Ethical Alternatives to Hacking
So you've got this authenticator and you want to use it for something. What can you do that's both practical and above board?
If it's a FIDO2 key that's been reset, you're in luck! Many services let you register new keys. Just plug it into a site like Google, GitHub, or Dropbox and see if it prompts you to register it as a new security key. This is the easiest and most legitimate path. The device gets a fresh start with new cryptographic keys generated internally.
For older keys, consider them learning tools. I keep a small collection of decommissioned tokens for exactly this purpose. You can take them apart, examine the components, and understand the hardware without the pressure of needing it to work. It's fascinating to see the evolution of security chips and interfaces.
Another option: repurpose the form factor. I've seen clever projects where people gut old tokens and install Bluetooth beacons or USB storage inside the shell. It's a fun hardware hack that doesn't compromise security. You get the satisfaction of tinkering without any of the ethical baggage.
What You Should Actually Use in 2026
Let's be honest—if you're looking to hack an old authenticator, what you really want is affordable, reliable 2FA. The good news? The market has never been better.
For hardware, new FIDO2/WebAuthn keys are cheaper and more capable than ever. The YubiKey 5 Series remains the gold standard, but there are excellent alternatives like the Google Titan Security Key and open-source options like the SoloKey. These support not just FIDO2 but also TOTP, PGP, and more—all in a device designed for modern use.
For most people, though, a software authenticator app is perfectly sufficient. Authy, Microsoft Authenticator, and even the built-in options in password managers like 1Password offer secure, cloud-backed TOTP generation. They're free, they're convenient, and they work on all your devices.
The real pro tip? Use a combination. I recommend a hardware key for your most critical accounts (email, password manager, financial) and a software authenticator for everything else. This gives you both maximum security for what matters and convenience for the rest.
Common Questions & Misconceptions
Let's tackle some of the specific questions from that Reddit thread that keep coming up.
"Can I just clone my YubiKey?" No. The private keys are generated inside the secure element and cannot be exported. That's by design. If you could clone it, so could an attacker.
"What about the 'secret' button presses I've heard about?" Some tokens have manufacturer backdoors or test modes. These are typically well-guarded secrets and using them on a device still tied to an organization could have serious consequences. Not worth the risk.
"I extracted a seed! Can I put it in Google Authenticator?" Technically yes, if it's a standard TOTP seed (usually a base32 string). But again—where did that seed come from? If it's from your old bank token, the bank likely deactivated it on their end when you closed the account. It might generate codes, but they won't verify.
"Is there any resale value?" For most used, unreset authenticators: zero. No one should trust a pre-owned security device. For new-in-box or properly reset FIDO2 keys, there's a small market, but you're better off using it yourself.
Conclusion: Curiosity vs. Practicality
Finding an old authenticator sparks that beautiful hacker curiosity: "How does this work? Can I make it do something else?" That curiosity is valuable—it's what drives security research and innovation. But when it comes to your actual authentication setup in 2026, practicality and security should win.
That token in your drawer represents an interesting piece of security history. It might make a great conversation starter or a component in an art project. But as a daily driver for protecting your digital life? You're better off with modern, purpose-built tools that come with warranties, updates, and community support.
My advice? Keep the old token as a souvenir or take it apart to satisfy your technical curiosity. Then buy a new security key from a reputable vendor and set it up properly. Your future self—with all your accounts intact—will thank you.
And if you're really passionate about hardware hacking, consider channeling that energy into learning about open-source security keys or contributing to projects like OpenSK. That way, you're building the future of authentication instead of trying to resurrect its past.
