Yubico: Why OpenAI Mandates Hardware Passkeys for GPT-5.6

Share this article
Share this article
Prioritise Us on Google
Jerrod Chong, CEO of Yubico
Jerrod Chong, CEO of Yubico, says OpenAI's new passkey requirement validates hardware-backed authentication as the strongest defence for account takeover

OpenAI has launched the GPT-5.6 family of models, promising frontier performance while burning through fewer tokens. 

With this announcement, the frontier AI company is also clamping down on access by making hardware-backed passkeys mandatory for individual members of its Trusted Access for Cyber (TAC) programme

From 1 September 2026, individual TAC members must enable Advanced Account Security using a hardware-backed passkey to retain access to OpenAI's most cyber-capable frontier models. Users who fail to meet the requirement will revert to default access.

Youtube Placeholder

This security stride comes as OpenAI unveils its latest flagship model, GPT-5.6 Sol, which delivers significant gains across cybersecurity benchmarks while expanding the defensive tasks available to verified users through the TAC programme.

OpenAI raises the bar for cybersecurity

OpenAI says GPT-5.6 Sol is its strongest cybersecurity model to date, delivering major improvements across software security benchmarks while using significantly fewer tokens than its predecessor. 

The model achieved 73.5% ExploitBench, up from GPT-5.5's 47.9%, while almost doubling peak performance on ExploitGym from 15.1% to 24.9% within a two-hour limit. 

It also improved its score on SEC-Bench Pro from 45.8% to 71.2%, demonstrating stronger capabilities in proof-of-concept generation for complex software.

Cybersecurity performance matrix | Credit: OpenAI

Beyond just the bench, OpenAI says GPT-5.6 supports defensive security tasks including secure code review, patching, threat modelling and blue teaming.

Through the Trusted Access for Cyber programme, qualified members can also use enhanced capabilities for vulnerability triage and validation, malware analysis, detection engineering and patch validation within authorised environments.

Yubico and OpenAI partner on passkeys

Superior technology like that of GPT-5.6 requires strong safeguards. 

By requiring hardware-backed passkeys rather than sync passkeys or software-based alternatives, OpenAI is validating that our product is the best defence for account takeover.
Jerrod ChongCEO of Yubico

To amplify the defences around these higher-risk capabilities, OpenAI is requiring individual TAC members to secure their accounts with hardware-backed passkeys. 

The company had previously partnered with Yubico to bring hardware-backed security keys directly to ChatGPT users.

For those who do not already have hardware-backed passkeys, the company also introduced preferred pricing for Yubico security keys, and says it is implementing additional restrictions for high-risk entities and jurisdictions. This represents a significant endorsement of hardware security keys and the growing industry focus on phishing-resistant authentication.

Youtube Placeholder

Yubico already supplies security keys to protect OpenAI employees and infrastructure. The new requirement also extends that relationship to users seeking access to OpenAI's most advanced cybersecurity models.

“This directive represents a significant strategic and commercial validation for Yubico,” says Jerrod Chong, CEO of Yubico. 

“By requiring hardware-backed passkeys rather than sync passkeys or software-based alternatives, OpenAI is validating that our product is the best defence for account takeover.

“This requirement will also help drive the adoption of our OpenAI YubiKey bundles across the TAC ecosystem.

“This milestone deepens our partnership with OpenAI – which already relies on YubiKeys for protecting its own employees and infrastructure – and further strengthens our leadership in providing the highest level of authentication as state-of-the-art models scales.”

By making hardware-backed passkeys a condition of access for its most capable cybersecurity models, OpenAI is signalling that strong authentication is becoming a core safeguard rather than an optional security feature. 

Company portals

Executives