

OpenAI Mandates Hardware-Backed Passkeys For Access To Its Most Advanced Cyber Models
Hardware-backed passkeys are now a requirement for OpenAI’s most trusted cybersecurity users. Yubico has welcomed OpenAI’s decision. The company now requires hardware-backed passkeys for individual members of its Trusted Access for Cyber program.
Starting 1 September 2026, all individual Trusted Access for Cyber members must enable OpenAI’s Advanced Account Security. They need a hardware-backed passkey to keep access to the company’s most cyber-capable frontier models. Otherwise, members will return to default model access.
What Trusted Access For Cyber Provides
Trusted Access for Cyber gives qualified security researchers and organisations access to advanced AI capabilities. This supports authorised defensive cybersecurity work. For example, it covers vulnerability triage and validation, malware analysis, detection engineering and patch validation.
The new requirement reflects heightened security risks. As AI models grow more capable, OpenAI needs to keep access limited to verified, trusted users. Additionally, OpenAI is strengthening restrictions for high-risk entities and jurisdictions. This is part of a broader effort to prevent misuse of advanced cyber capabilities.
Why Hardware-Backed Passkeys Matter
Hardware-backed passkeys store authentication credentials in a physical security key. Unlike software or cloud-based methods, attackers cannot copy or remotely extract these credentials. As a result, they offer stronger protection against phishing, credential theft, adversary-in-the-middle attacks and account takeover.
Jerrod Chong, CEO of Yubico, said the decision established a new model for protecting access to high-value AI systems.


“We are introducing a new model for phishing-resistant security at scale for the AI ecosystem,” said Jerrod Chong, chief executive officer, Yubico. “This partnership with OpenAI delivers the highest level of protection against phishing with a low-friction user experience. Ultimately, our intent is to drastically reduce the threat of unauthorised access to sensitive data in OpenAI accounts worldwide. We are proud to partner with OpenAI to deliver YubiKeys, the leading security key that offers the strongest way to use passkeys, increasing protection of sensitive user data for the AI frontier.”
Responding To Rising Phishing Threats
Cybercriminals increasingly rely on sophisticated phishing, social engineering and session hijacking. Consequently, they can bypass passwords and older multi-factor methods, such as SMS codes and mobile push notifications.
Traditional protections have weaknesses. Attackers can intercept, redirect, or socially engineer their way around them. Hardware-backed passkeys work differently: they verify both the user and the legitimate service before authentication occurs. Therefore, users can’t accidentally sign into fraudulent websites built to steal their credentials.
Physical, phishing-resistant authentication also raises the cost for attackers. In short, it becomes far harder for threat actors to create, validate and resell compromised accounts at scale.
How Advanced Account Security Works
Through OpenAI’s Advanced Account Security program, users can protect their ChatGPT accounts with security keys. At the same time, they can disable weaker fallback methods that attackers could otherwise exploit.
OpenAI already uses YubiKeys internally to protect employees and infrastructure from phishing attacks. Now, the expanded partnership brings that same hardware-backed model to eligible external users.
A custom two-pack of YubiKeys is available to existing OpenAI account holders at preferred pricing. The pack includes:
- YubiKey C NFC – OpenAI: enables authentication on compatible phones, tablets and computers using USB-C or a tap through near-field communication.
- YubiKey C Nano – OpenAI: a low-profile USB-C security key designed to stay connected to a laptop for convenient, ongoing protection.
Once enrolled, users can authenticate through a fast, passwordless process. Their credentials can’t be copied, intercepted or synced between devices.
A Broader Shift In AI Security
This requirement marks an important shift in AI security. Model safeguards must be backed by strong identity and authentication controls. Additionally, as access to advanced AI capabilities grows more valuable, organisations need to think beyond capability. Ultimately, they must also consider who is permitted to use their systems and how that access is protected.
More information about Advanced Account Security and the YubiKey offer is available at chatgpt.com/advanced-account-security.
For more information on Yubico, visit www.yubico.com.
Stay Informed With Cyber News Live
Cyber threats are constantly evolving, and staying informed is critical to protecting your organization. Follow Cyber News Live for the latest cybersecurity news, threat intelligence, expert analysis, and practical guidance to help strengthen your cyber defenses.
