OpenAI Mandates Passkey Authentication for Trusted Access for Cyber (TAC) Program
OpenAI has implemented a mandatory passkey requirement for users in its Trusted Access for Cyber (TAC) program to secure access to its most advanced AI models.
OpenAI has officially updated its security protocols, requiring all participants in its Trusted Access for Cyber (TAC) program to utilize passkeys for authentication. This policy shift, which took effect on June 1, 2026, is designed to provide a more robust defense against phishing and credential-based attacks for users who interact with the company's most powerful AI models. By moving away from traditional password-based authentication, OpenAI aims to significantly reduce the risk of unauthorized access to sensitive AI development environments.
The initiative is being executed in partnership with Yubico, a leader in hardware-based authentication solutions. The integration of passkeys—a FIDO2-compliant standard—allows users to authenticate using biometric data or local device security, such as a fingerprint or facial recognition, rather than relying on potentially vulnerable passwords. This transition is part of a broader industry trend where high-stakes technology providers are adopting phishing-resistant authentication methods to protect intellectual property and sensitive research data.
The TAC program serves as a critical gateway for researchers, developers, and partners who require access to OpenAI’s cutting-edge infrastructure. Given the potential for AI models to be misused if compromised, securing the accounts of those with high-level access has become a top priority for the organization. The mandate ensures that even if a user's credentials were to be intercepted via a phishing campaign, an attacker would still be unable to gain access without the physical device or biometric verification associated with the passkey.
This move reflects a growing awareness of the unique threat landscape facing AI companies. As AI models become more integrated into enterprise workflows and critical infrastructure, the security of the platforms hosting these models is increasingly scrutinized. By enforcing hardware-backed authentication, OpenAI is setting a higher security bar for its ecosystem, effectively mitigating common attack vectors that have historically plagued large-scale software development platforms.
While the current requirement is limited to the TAC program, the adoption of passkeys by a major player like OpenAI often signals a shift in standard practices for the wider AI industry. As organizations continue to grapple with sophisticated social engineering and credential-harvesting campaigns, the move toward passwordless, phishing-resistant authentication is expected to become the baseline for secure AI development and deployment environments globally.