Yubico has welcomed OpenAI’s decision to require hardware-backed passkeys for individual members of its Trusted Access for Cyber program.
From 1 September 2026, all individual Trusted Access for Cyber members must enable OpenAI’s Advanced Account Security using a hardware-backed passkey to retain access to the company’s most cyber-capable frontier models. Members who do not meet the requirement will return to default model access.
Trusted Access for Cyber provides qualified security researchers and organisations with access to advanced AI capabilities for authorised defensive cybersecurity work, including vulnerability triage and validation, malware analysis, detection engineering and patch validation.
The new requirement reflects the heightened security risks posed by increasingly capable artificial intelligence models and the need to ensure that access remains limited to verified and trusted users.
OpenAI is also strengthening restrictions for high-risk entities and jurisdictions as part of a broader effort to prevent the misuse of advanced cyber capabilities.
Hardware-backed passkeys store authentication credentials in a physical security key rather than synchronising them through software or cloud services. The credentials cannot be copied or remotely extracted, providing stronger protection against phishing, credential theft, adversary-in-the-middle attacks and account takeover.
The mandate comes as cybercriminals increasingly use sophisticated phishing, social engineering and session hijacking techniques to bypass passwords and legacy multi-factor authentication methods such as SMS codes and mobile push notifications.
While traditional account protections can be intercepted, redirected, or socially engineered, hardware-backed passkeys verify both the user and the legitimate service before authentication occurs. This prevents users from inadvertently signing in to fraudulent websites designed to capture their credentials.
Requiring physical, phishing-resistant authentication also makes it considerably more difficult and expensive for threat actors to create, validate and resell compromised accounts at scale.
Through OpenAI’s Advanced Account Security program, users can protect their ChatGPT accounts with security keys while disabling weaker fallback authentication methods that could otherwise be exploited by attackers.
OpenAI already uses YubiKeys internally to protect its employees and infrastructure from sophisticated phishing attacks. The expanded partnership enables eligible users to adopt the same hardware-backed security model.
A custom two-pack of YubiKeys is available to existing OpenAI account holders at preferred pricing. The pack includes:
- YubiKey C NFC – OpenAI, which enables users to authenticate on compatible phones, tablets and computers using USB-C or a tap through near-field communication.
- YubiKey C Nano – OpenAI, a low-profile USB-C security key designed to remain connected to a laptop for convenient, ongoing protection.
Once enrolled, users can authenticate through a fast, passwordless process without relying on credentials that can be copied, intercepted or synchronised between devices.
The requirement represents an important shift in AI security, recognising that model safeguards must be supported by strong identity and authentication controls. As access to advanced AI capabilities becomes more valuable, organisations will increasingly need to consider not only what their systems can do but who is permitted to use them and how that access is protected.
More information about Advanced Account Security and the YubiKey offer is available at chatgpt.com/advanced-account-security.
For more information on Yubico, visit www.yubico.com.
Related
This entry was posted on July 13, 2026 at 8:24 am and is filed under Commentary with tags Yubico. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
OpenAI mandates hardware-backed passkeys for access to its most advanced cyber models
Yubico has welcomed OpenAI’s decision to require hardware-backed passkeys for individual members of its Trusted Access for Cyber program.
From 1 September 2026, all individual Trusted Access for Cyber members must enable OpenAI’s Advanced Account Security using a hardware-backed passkey to retain access to the company’s most cyber-capable frontier models. Members who do not meet the requirement will return to default model access.
Trusted Access for Cyber provides qualified security researchers and organisations with access to advanced AI capabilities for authorised defensive cybersecurity work, including vulnerability triage and validation, malware analysis, detection engineering and patch validation.
The new requirement reflects the heightened security risks posed by increasingly capable artificial intelligence models and the need to ensure that access remains limited to verified and trusted users.
OpenAI is also strengthening restrictions for high-risk entities and jurisdictions as part of a broader effort to prevent the misuse of advanced cyber capabilities.
Hardware-backed passkeys store authentication credentials in a physical security key rather than synchronising them through software or cloud services. The credentials cannot be copied or remotely extracted, providing stronger protection against phishing, credential theft, adversary-in-the-middle attacks and account takeover.
The mandate comes as cybercriminals increasingly use sophisticated phishing, social engineering and session hijacking techniques to bypass passwords and legacy multi-factor authentication methods such as SMS codes and mobile push notifications.
While traditional account protections can be intercepted, redirected, or socially engineered, hardware-backed passkeys verify both the user and the legitimate service before authentication occurs. This prevents users from inadvertently signing in to fraudulent websites designed to capture their credentials.
Requiring physical, phishing-resistant authentication also makes it considerably more difficult and expensive for threat actors to create, validate and resell compromised accounts at scale.
Through OpenAI’s Advanced Account Security program, users can protect their ChatGPT accounts with security keys while disabling weaker fallback authentication methods that could otherwise be exploited by attackers.
OpenAI already uses YubiKeys internally to protect its employees and infrastructure from sophisticated phishing attacks. The expanded partnership enables eligible users to adopt the same hardware-backed security model.
A custom two-pack of YubiKeys is available to existing OpenAI account holders at preferred pricing. The pack includes:
Once enrolled, users can authenticate through a fast, passwordless process without relying on credentials that can be copied, intercepted or synchronised between devices.
The requirement represents an important shift in AI security, recognising that model safeguards must be supported by strong identity and authentication controls. As access to advanced AI capabilities becomes more valuable, organisations will increasingly need to consider not only what their systems can do but who is permitted to use them and how that access is protected.
More information about Advanced Account Security and the YubiKey offer is available at chatgpt.com/advanced-account-security.
For more information on Yubico, visit www.yubico.com.
Share this:
Like this:
Related
This entry was posted on July 13, 2026 at 8:24 am and is filed under Commentary with tags Yubico. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.