Yubico: Why OpenAI Mandates Hardware Passkeys for GPT-5.6

OpenAI has launched the GPT-5.6 family of models, promising frontier performance while burning through fewer tokens.
With this announcement, the frontier AI company is also clamping down on access by making hardware-backed passkeys mandatory for individual members of its Trusted Access for Cyber (TAC) programme.
From 1 September 2026, individual TAC members must enable Advanced Account Security using a hardware-backed passkey to retain access to OpenAI's most cyber-capable frontier models. Users who fail to meet the requirement will revert to default access.
This security stride comes as OpenAI unveils its latest flagship model, GPT-5.6 Sol, which delivers significant gains across cybersecurity benchmarks while expanding the defensive tasks available to verified users through the TAC programme.
OpenAI raises the bar for cybersecurity
OpenAI says GPT-5.6 Sol is its strongest cybersecurity model to date, delivering major improvements across software security benchmarks while using significantly fewer tokens than its predecessor.
The model achieved 73.5% ExploitBench, up from GPT-5.5's 47.9%, while almost doubling peak performance on ExploitGym from 15.1% to 24.9% within a two-hour limit.
It also improved its score on SEC-Bench Pro from 45.8% to 71.2%, demonstrating stronger capabilities in proof-of-concept generation for complex software.
Beyond just the bench, OpenAI says GPT-5.6 supports defensive security tasks including secure code review, patching, threat modelling and blue teaming.
Through the Trusted Access for Cyber programme, qualified members can also use enhanced capabilities for vulnerability triage and validation, malware analysis, detection engineering and patch validation within authorised environments.
Yubico and OpenAI partner on passkeys
Superior technology like that of GPT-5.6 requires strong safeguards.
“By requiring hardware-backed passkeys rather than sync passkeys or software-based alternatives, OpenAI is validating that our product is the best defence for account takeover. ”
To amplify the defences around these higher-risk capabilities, OpenAI is requiring individual TAC members to secure their accounts with hardware-backed passkeys.
The company had previously partnered with Yubico to bring hardware-backed security keys directly to ChatGPT users.
For those who do not already have hardware-backed passkeys, the company also introduced preferred pricing for Yubico security keys, and says it is implementing additional restrictions for high-risk entities and jurisdictions. This represents a significant endorsement of hardware security keys and the growing industry focus on phishing-resistant authentication.
Yubico already supplies security keys to protect OpenAI employees and infrastructure. The new requirement also extends that relationship to users seeking access to OpenAI's most advanced cybersecurity models.
“This directive represents a significant strategic and commercial validation for Yubico,” says Jerrod Chong, CEO of Yubico.
“By requiring hardware-backed passkeys rather than sync passkeys or software-based alternatives, OpenAI is validating that our product is the best defence for account takeover.
“This requirement will also help drive the adoption of our OpenAI YubiKey bundles across the TAC ecosystem.
“This milestone deepens our partnership with OpenAI – which already relies on YubiKeys for protecting its own employees and infrastructure – and further strengthens our leadership in providing the highest level of authentication as state-of-the-art models scales.”
By making hardware-backed passkeys a condition of access for its most capable cybersecurity models, OpenAI is signalling that strong authentication is becoming a core safeguard rather than an optional security feature.






