Access to OpenAI’s most cyber-capable AI models will soon require something no phishing email can steal: a physical security key tapped against a phone or plugged into a laptop.

From September 1, individual members of the company’s Trusted Access for Cyber program must switch on OpenAI’s Advanced Account Security feature using a hardware-backed passkey, or fall back to default model access. The program gives vetted security researchers and organisations elevated access to advanced AI capabilities for authorised defensive work, spanning vulnerability triage and validation, malware analysis, detection engineering, and patch validation, and OpenAI is tightening restrictions on high-risk entities and jurisdictions as part of the same push against misuse.

A hardware-backed passkey lives in a physical key rather than syncing through software or the cloud, so the credential cannot be copied or extracted remotely. It also checks that the site asking for a login is the real one before authenticating, which defeats phishing and adversary-in-the-middle attacks, where a fraudulent page sits between the user and the genuine service. Enabling Advanced Account Security also lets users switch off the weaker fallback login methods that attackers otherwise target.

Yubico is supplying the hardware side, offering OpenAI account holders a custom two-pack at preferred pricing: a USB-C YubiKey that authenticates on phones and tablets with a tap over near-field communication, and a low-profile key that stays in a laptop port. OpenAI already uses YubiKeys internally to protect its own staff and infrastructure. “We are introducing a new model for phishing-resistant security at scale for the AI ecosystem,” said Jerrod Chong, chief executive of Yubico.

The move deepens OpenAI’s turn toward the authentication world it increasingly depends on. The company recently joined the FIDO Alliance to help shape how phones authenticate AI agents, and the credentials it is now mandating ride a wave of mainstream adoption, with the FIDO Alliance counting three billion passkeys in use.

For the vetted researchers involved, the calculus is simple: a credential that cannot be phished, copied, or synchronised makes a compromised account far harder and more expensive to create, validate, and resell, raising the cost of the most obvious way into a program built around trusted access to sensitive capability.


More

Biometric Update: Yubico hackathon to preview YubiKey 5.8 support for next-generation passkeys

Yubico will host a virtual developer hackathon for the FIDO Alliance developer community on August 5…

Read More →

PYMNTS: Mastercard Wants to Teach AI Agents How to Spend

For nearly 60 years, Mastercard has answered one question over and over. How do you get two…

Read More →

Biometric Update: EMVCo proposes global schema for verifiable digital payment credentials

EMVCo has put a draft framework out for consultation that aims to bring verifiable digital credentials…

Read More →


Subscribe to the FIDO newsletter

Stay Connected, Stay Engaged

Receive the latest news, events, research and implementation guidance from the FIDO Alliance. Learn about digital identity and fast, phishing-resistant authentication with passkeys.