OpenAI Mandates Hardware Passkeys for TAC Cyber Members

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- OpenAI announced that starting September 1, all individual members of Trusted Access for Cyber (TAC) must enable Advanced Account Security using a hardware-backed passkey to retain access to frontier cyber models.
- OpenAI is simultaneously tightening access restrictions for high-risk entities and jurisdictions as part of the same initiative.
- Yubico is supplying the hardware through a custom 2-pack of YubiKeys — a C NFC for mobile and a C Nano for laptops — offered to existing TAC account holders at preferred pricing.
- The Advanced Account Security program deliberately disables weaker fallback methods, replicating the same security posture OpenAI uses internally to safeguard its own infrastructure and employees.
- Hardware-backed passkeys are designed to be phishing-resistant, raising costs for threat actors who create, validate, and resell compromised accounts for downstream abuse.
Why it matters: Security researchers probing OpenAI's frontier models now face a September 1 deadline to adopt hardware keys or lose access. The mandate sets a new industry standard by deliberately disabling fallback MFA — which Yubico says is easily bypassed or intercepted — and replacing it with phishing-resistant credentials trusted enough for OpenAI's own staff.



