OpenAI tightens security requirements for top-tier AI models
▼ Summary
– OpenAI will require passkeys for individuals in its Trusted Access for Cyber (TAC) program starting June 1, 2026, to secure access to its most powerful AI models.
– Yubico’s hardware-backed passkeys, like YubiKeys, provide phishing-resistant protection and serve as a critical circuit breaker for high-consequence AI actions.
– The mandate moves security from probabilistic passwords to cryptographic certainty, as emphasized by Yubico’s chief product and technology officer.
– Yubico’s authentication integrates with enterprise SSO workflows and offers zero-knowledge recovery to maintain access without manual account resets.
– The physical “tap” of a YubiKey verifies human intent, ensuring that AI actions are authorized by a verified person.
Starting June 1, 2026, anyone participating in OpenAI’s Trusted Access for Cyber (TAC) program must enable Advanced Account Security (AAS) to access the company’s most powerful AI models. The new requirement, announced alongside Yubico’s role in the initiative, makes hardware-backed passkeys mandatory for those handling sensitive codebases and autonomous AI agents.
Yubico, a leader in hardware authentication, is positioning its YubiKeys as a core component of this security shift. The mandate reflects a broader industry recognition that traditional passwords are no longer sufficient when AI systems can analyze vulnerabilities and act on behalf of users. As Albert Biketi, chief product and technology officer at Yubico, put it, “In that world, the only thing more powerful than the AI itself is the identity of the person controlling it.”
The move marks a transition from “probabilistic” security,where we hope a password is strong enough,to what Biketi calls “cryptographic certainty that only hardware can provide.” OpenAI’s “security by default” approach enforces rigorous authentication for users who need it most, particularly developers working with frontier models like Codex.
For organizations, the mandate introduces several practical benefits. Phishing-resistant passkeys, including hardware-backed YubiKeys, offer a higher level of protection for TAC participants. Enterprises can integrate Yubico’s authentication into their SSO workflows to meet OpenAI’s standards. With OpenAI removing manual account resets, zero-knowledge recovery through Yubico’s “Primary and Backup” bundles ensures users maintain mission-critical access. And the physical “tap” of a YubiKey serves as a verifiable human intent check, acting as a circuit breaker before high-consequence AI actions are executed.
This requirement builds on the existing partnership between Yubico and OpenAI, reinforcing the idea that as AI becomes more autonomous, the identity of the person controlling it must be secured with the same rigor as the AI itself.
(Source: Help Net Security)
