Access to OpenAI’s most cyber-capable AI models will soon require something no phishing email can steal: a physical security key tapped against a phone or plugged into a laptop.

From September 1, individual members of the company’s Trusted Access for Cyber program must switch on OpenAI’s Advanced Account Security feature using a hardware-backed passkey, or fall back to default model access. The program gives vetted security researchers and organisations elevated access to advanced AI capabilities for authorised defensive work, spanning vulnerability triage and validation, malware analysis, detection engineering, and patch validation, and OpenAI is tightening restrictions on high-risk entities and jurisdictions as part of the same push against misuse.

A hardware-backed passkey lives in a physical key rather than syncing through software or the cloud, so the credential cannot be copied or extracted remotely. It also checks that the site asking for a login is the real one before authenticating, which defeats phishing and adversary-in-the-middle attacks, where a fraudulent page sits between the user and the genuine service. Enabling Advanced Account Security also lets users switch off the weaker fallback login methods that attackers otherwise target.

Yubico is supplying the hardware side, offering OpenAI account holders a custom two-pack at preferred pricing: a USB-C YubiKey that authenticates on phones and tablets with a tap over near-field communication, and a low-profile key that stays in a laptop port. OpenAI already uses YubiKeys internally to protect its own staff and infrastructure. “We are introducing a new model for phishing-resistant security at scale for the AI ecosystem,” said Jerrod Chong, chief executive of Yubico.

The move deepens OpenAI’s turn toward the authentication world it increasingly depends on. The company recently joined the FIDO Alliance to help shape how phones authenticate AI agents, and the credentials it is now mandating ride a wave of mainstream adoption, with the FIDO Alliance counting three billion passkeys in use.

For the vetted researchers involved, the calculus is simple: a credential that cannot be phished, copied, or synchronised makes a compromised account far harder and more expensive to create, validate, and resell, raising the cost of the most obvious way into a program built around trusted access to sensitive capability.


More

Cyber Insider: ExpressVPN adds passkeys on password manager, passes security audit

ExpressVPN has announced a major update to its standalone ExpressKeys password manager, adding passkey support,…

Read More →

Tech Radar Pro: Know your agent: building the foundation of autonomous commerce

Artificial intelligence has officially entered its execution phase. After years of experimentation, businesses are rapidly deploying…

Read More →

PaymentsJournal: EMVCo Proposes Standards for Stronger Payment Authentication

EMVCo has released a draft framework that could pave the way for a universal standard…

Read More →


Subscribe to the FIDO newsletter

Stay Connected, Stay Engaged

Receive the latest news, events, research and implementation guidance from the FIDO Alliance. Learn about digital identity and fast, phishing-resistant authentication with passkeys.