OpenAI Adds Advanced Account Security to ChatGPT

OpenAI has launched Advanced Account Security, an opt-in setting for ChatGPT and Codex accounts that makes phishing-resistant sign-in the default for users who enable it. Per OpenAI and reporting from TechCrunch, the mode disables password login and email/SMS account recovery and requires users to register two separate credentials - passkeys and/or FIDO2 physical security keys such as YubiKeys. OpenAI is partnering with Yubico to offer a discounted bundle of two co-branded keys (the YubiKey C Nano and C NFC) for $68. OpenAI says the feature is aimed at higher-risk users - journalists, elected officials, dissidents, and researchers - but is available to everyone, including free-tier accounts. The goal is to cut account-takeover and phishing risk for accounts that accumulate sensitive personal or professional context.
What happened
OpenAI introduced Advanced Account Security, an optional setting for ChatGPT and Codex accounts, per OpenAI's announcement and reporting from TechCrunch. When enabled, it disables password-based sign-in and account recovery via email or SMS, and requires the user to register two separate phishing-resistant credentials - device-based passkeys and/or FIDO2 physical security keys such as YubiKeys. OpenAI frames the feature for users who accumulate sensitive personal or professional context, naming journalists, elected officials, political dissidents, and researchers, while making it available to all users, including the free tier.
Technical details
- •Password sign-in and password/email/SMS recovery are turned off; recovery relies on backup passkeys, additional security keys, or recovery keys.
- •Users must enroll two separate credentials, choosing from device passkeys, YubiKeys, or any FIDO2-compliant hardware token.
- •OpenAI partnered with Yubico on a discounted bundle of two co-branded keys (YubiKey C Nano and C NFC) priced at $68, though other FIDO2 keys and software passkeys are also supported.
Editorial analysis - industry context
Industry-pattern observation: platforms protecting high-risk users commonly require hardware-backed or passkey multi-factor authentication and remove weaker recovery paths. This sharply reduces phishing and SIM-swap success but raises onboarding and operational friction, since organizations must provision, back up, and manage keys.
What to watch
- •Adoption among the security-sensitive groups OpenAI targets.
- •Whether OpenAI documents enterprise SSO or device-management integration, key rotation, and lost-key recovery.
- •Availability and uptake of the discounted Yubico bundle.
Practical takeaway for practitioners
For security teams evaluating controls on AI-platform accounts, this is a higher-assurance model - phishing-resistant credentials plus removal of fallback channels - that is effective against most account-takeover vectors but requires clear policies for backup keys and user education.
Key Points
- 1Advanced Account Security disables passwords and email/SMS recovery, requiring two phishing-resistant credentials (passkeys or FIDO2 security keys) to sign in.
- 2OpenAI partnered with Yubico on a discounted two-key bundle ($68), and any FIDO2-compliant key or device passkey also works.
- 3It is opt-in and available to all users but pitched at high-risk groups, trading lower attack surface for added key-management overhead.
Scoring Rationale
A real, notable security launch from a leading AI lab that brings phishing-resistant passkey and hardware-key authentication, plus a Yubico hardware bundle, to the most widely used AI product. It is opt-in and pitched at high-risk users rather than a mandatory platform-wide change, so its impact is meaningful but targeted. Scored in the notable range for security-conscious practitioners.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems