OpenAI and Yubico: Securing GPT-5.6 with Hardware Passkeys

OpenAI has released the GPT-5.6 family of models, which the company says offers performance at the frontier of AI capabilities while consuming fewer tokens during operation.
The announcement includes a new access requirement for individual members participating in OpenAI's Trusted Access for Cyber programme.
These users must now adopt hardware-backed passkeys to maintain access to the company's most capable models.
Individual members of the programme face a deadline of one September 2026 to enable Advanced Account Security using hardware-backed passkeys. Those who do not meet this requirement will lose access to frontier models and return to default access levels.
This security stride comes as OpenAI unveils its latest flagship model, GPT-5.6 Sol, which delivers significant gains across cybersecurity benchmarks while expanding the defensive tasks available to verified users through the TAC programme.
Model performance across cyber benchmarks
According to OpenAI, GPT-5.6 Sol achieves 73.5% on ExploitBench β which evaluates how successfully a model progresses from identifying vulnerable code to arbitrary code execution β compared to 47.9% for GPT-5.5. The firm says this represents its strongest model performance to date.
ExploitGym is a benchmark that asks agents to turn real-world vulnerabilities into working exploits. GPT 5.6's performance on ExploitGym increased from 15.1% for its predecessor to 24.9% within a two-hour operational limit.
On SEC-Bench Pro, which tests proof of concept generation, the score improved from 45.8% to 71.2% with GPT 5.6.
The company says token consumption decreased while achieving these performance gains.
GPT-5.6 supports tasks including secure code review, patching, threat modelling and blue teaming. These functions are available to users with appropriate access levels.
Through the Trusted Access for Cyber programme, qualified members can access enhanced capabilities for vulnerability triage and validation. The model also supports malware analysis, detection engineering and patch validation within authorised environments.
Hardware authentication becomes mandatory
OpenAI now requires individual Trusted Access for Cyber members to secure accounts using hardware-backed passkeys.
The company previously partnered with Yubico to integrate hardware-backed security keys for ChatGPT users.
For users without existing hardware-backed passkeys, OpenAI has introduced preferred pricing for Yubico security keys.
βBy requiring hardware-backed passkeys rather than sync passkeys or software-based alternatives, OpenAI is validating that our product is the best defence for account takeover. β
The company says it is implementing additional restrictions for what it describes as high-risk entities and jurisdictions.
Yubico already provides security keys for OpenAI employees and infrastructure. The new requirement extends this relationship to users seeking access to the company's most advanced models.
"This directive represents a strategic and commercial validation for Yubico," says Jerrod Chong, CEO of Yubico.
"By requiring hardware-backed passkeys rather than sync passkeys or software-based alternatives, OpenAI is validating that our product is the best defence for account takeover."
Authentication as access control
Jerrod says the requirement could help adoption of OpenAI YubiKey bundles across the Trusted Access for Cyber ecosystem.
"This milestone deepens our partnership with OpenAI – which already relies on YubiKeys for protecting its own employees and infrastructure – and further strengthens our leadership in providing the highest level of authentication as state-of-the-art models scales," says Jerrod.
OpenAI's decision to mandate hardware-backed passkeys for access to its most capable models is a measured security move to limit unauthorised access to advanced capabilities.
Hardware-backed passkeys are considered more resistant to phishing attacks than software-based alternatives.



