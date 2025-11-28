Sunday, November 30 marks three years since ChatGPT was released to the public. In that time, OpenAI’s generative AI (GenAI) has changed how we work, learn and communicate. So the cyber threats have changed; error-filled phishing emails and SMS texts have largely disappeared.

We should rethink how we approach identity security, says Niall McConachie, regional director (UK & Ireland) at Yubico. He says: “ChatGPT’s third birthday isn’t just a tech milestone; it marks the democratisation of cybercrime like phishing globally. We’re no longer just dealing with poor grammar and clumsy scams – we’re now facing automated, adaptive threats that blur the lines of what humans can detect between real and AI. Attackers are now using GenAI to automatically write malicious code at scale, and generate convincing phishing sites that evolve faster than traditional cyber defences can keep up with. GenAI can now replicate the tone, urgency and context of a colleague, friend or brand, and can do so at scale. As we reflect on three years of ChatGPT, we must acknowledge a critical shift – the human line of defence has been breached and it can no longer be our primary safeguard.

“The public clearly senses this shift. Recent research shows that 81 percent* of people are now concerned about AI threatening the security of their personal or business accounts, which is a 20 percent increase from last year. That’s not just a data point, it signals a growing crisis of confidence. Yet many individuals and businesses are still relying on insecure passwords and one-time codes, even though these are easily bypassed by AI-generated phishing attacks or behaviour mimicry. If we continue to depend on these outdated methods, we will fall behind.

“The only meaningful defence in this new era of GenAI-driven crime is phishing-resistant multi-factor authentication (MFA) tools like passkeys. Hardware security keys offer exactly that and provide immunity from even the most advanced AI-powered scams. This is because they require something you have (a physical key), something you know (a PIN) and something you are (physical touch of the key to gain access to accounts). If an AI can deceive a person, but can’t trick the protocol, that’s where our protection must begin.”