Access to OpenAI’s most cyber-capable AI models will soon require something no phishing email can steal: a physical security key tapped against a phone or plugged into a laptop.

From September 1, individual members of the company’s Trusted Access for Cyber program must switch on OpenAI’s Advanced Account Security feature using a hardware-backed passkey, or fall back to default model access. The program gives vetted security researchers and organisations elevated access to advanced AI capabilities for authorised defensive work, spanning vulnerability triage and validation, malware analysis, detection engineering, and patch validation, and OpenAI is tightening restrictions on high-risk entities and jurisdictions as part of the same push against misuse.

A hardware-backed passkey lives in a physical key rather than syncing through software or the cloud, so the credential cannot be copied or extracted remotely. It also checks that the site asking for a login is the real one before authenticating, which defeats phishing and adversary-in-the-middle attacks, where a fraudulent page sits between the user and the genuine service. Enabling Advanced Account Security also lets users switch off the weaker fallback login methods that attackers otherwise target.

Yubico is supplying the hardware side, offering OpenAI account holders a custom two-pack at preferred pricing: a USB-C YubiKey that authenticates on phones and tablets with a tap over near-field communication, and a low-profile key that stays in a laptop port. OpenAI already uses YubiKeys internally to protect its own staff and infrastructure. “We are introducing a new model for phishing-resistant security at scale for the AI ecosystem,” said Jerrod Chong, chief executive of Yubico.

The move deepens OpenAI’s turn toward the authentication world it increasingly depends on. The company recently joined the FIDO Alliance to help shape how phones authenticate AI agents, and the credentials it is now mandating ride a wave of mainstream adoption, with the FIDO Alliance counting three billion passkeys in use.

For the vetted researchers involved, the calculus is simple: a credential that cannot be phished, copied, or synchronised makes a compromised account far harder and more expensive to create, validate, and resell, raising the cost of the most obvious way into a program built around trusted access to sensitive capability.


More

RSA and the FIDO Alliance Champion the Enterprise Passkey Revolution

In this joint briefing, RSA Security’s Jim Taylor and the FIDO Alliance’s Andrew Shikiar detailed the global transition away from legacy…

Read More →

Microsoft and Google push passkeys deeper into workplace authentication

Microsoft and Google are pushing passkeys and hardware security keys deeper into workplace authentication, with…

Read More →

Biometric Update: Microsoft and Google push passkeys deeper into workplace authentication

Microsoft and Google are pushing passkeys and hardware security keys deeper into workplace authentication, with…

Read More →


123332 Next

Subscribe to the FIDO newsletter

Stay Connected, Stay Engaged

Receive the latest news, events, research and implementation guidance from the FIDO Alliance. Learn about digital identity and fast, phishing-resistant authentication with passkeys.