Security & Trust Jul 14, 2026 at 22:308Add to bookmarks

Hardware-bound passkey mandatory as of September 1st to access cutting-edge cyber models. A standard measure - and that's precisely what makes it interesting.
Members of OpenAI's Trusted Access for Cyber program will need to activate a hardware-backed passkey—a physical key—to retain access to OpenAI's cutting-edge cyber models. Deadline: September 1, 2026.
The TAC program brings together security researchers and advocates who use OpenAI's most capable models to identify vulnerabilities and harden software. The company now conditions this access on the activation of "Advanced Account Security" via a hardware passkey, while also tightening access restrictions for high-risk entities and jurisdictions. The argument put forward: a hardware passkey makes accounts "significantly more difficult and costly for threat actors to exploit at scale."
The interest is not the technology—the hardware key is a proven standard, and nothing here is innovative. The interest lies in what the measure implicitly acknowledges: a security researcher's account has become an attack asset. Access to a cutting-edge cyber model, resold on a gray market, is evidently valuable enough to justify the phishing of credentials. OpenAI is not just protecting its users: it is protecting an offensive capability from being misappropriated.
This is also a governance precedent. A provider segments its models by capability level and attaches an authentication level to each level. It is no longer a usage policy, but an access control. The difference is significant: a policy can be violated, a control can be bypassed.
If this scheme extends to biological, chemical capabilities, or autonomous agents, access to cutting-edge models will increasingly resemble access to regulated material—authorization, traceability, exclusions by jurisdiction. That would be the real news, and it won't be announced in a press release.
Article produced by artificial intelligence, reviewed under human editorial control.
Sign in to join the discussion.
Comment OpenAI gère la perte ou la panne de la clé ? Y a-t-il une solution de secours ou ça bloque tout ?
Cette mesure va-t-elle compliquer la vie des chercheurs qui bossent sur le cloud ?
Est-ce que cette clé physique va compliquer la vie des chercheurs qui voyagent ou travaillent à distance ?
Est-ce que cette obligation de clé matérielle va rendre l'accès aux modèles plus difficile pour les chercheurs des pays en développement ?
Ça va ralentir les chercheurs ou ça va vraiment sécuriser ?
Est-ce que les chercheurs extérieurs vont devoir passer par des étapes supplémentaires pour accéder aux modèles ?
Une clé physique, c'est une bonne idée ? J'espère que ça va vraiment protéger les données.
Est-ce que d'autres entreprises vont suivre ? Ça pourrait devenir la norme en cybersécurité ?