OpenAI introduces Advanced Account Security for ChatGPT

Per OpenAI's "Introducing Advanced Account Security" blog post, OpenAI released Advanced Account Security, an opt-in security mode for ChatGPT and Codex accounts on April 30, 2026. The mode disables password-based login and requires users to enroll phishing-resistant authentication methods, such as passkeys or physical security keys, per OpenAI. Advanced Account Security also disables email- and SMS-based account recovery and restricts help from support for account recovery, according to reporting from Wired and Axios. Wired and Axios report the feature applies to all users, including the free tier, and is aimed at higher-risk groups such as journalists, elected officials, researchers, and political dissidents.

Per OpenAI's announcement, enrolled accounts must sign in using passkeys or hardware security keys while password login is turned off. OpenAI describes recovery options limited to recovery keys, backup passkeys, or physical security keys rather than email or SMS. Wired and Axios additionally report the mode shortens session lengths, increases login alerts, and provides tools to view and terminate active sessions.

Per Yubico's press release, Yubico and OpenAI announced a partnership to offer a 2-pack of custom YubiKey devices designed for the program, including a YubiKey C NFC and a YubiKey C Nano. Yubico's press release quotes Jerrod Chong, chief executive officer, describing the offering as a low-friction, hardware-backed option for phishing-resistant authentication.

Axios quoted Ogbeide Oigiagbe of OpenAI saying, "Users continue to use ChatGPT for some of their most sensitive and personal matters, and it only makes sense that we as a company try to make available capabilities that meets our users with how they use our product." Wired and Axios provide additional reporting on the user groups targeted and the operational effects of the mode.

Editorial analysis: Companies and services protecting high-risk users have long offered comparable options, such as vendor Advanced Protection programs that require hardware-backed keys or passkeys. For practitioners, enforcing passkeys or hardware-backed authentication is a common hardening pattern to reduce successful phishing and credential-stuffing attacks, and disabling email/SMS recovery closes a frequent attacker avenue.

Editorial analysis: Requiring only phishing-resistant credentials and removing support-driven recovery reduces the attack surface but raises account-recovery friction for legitimate users. Observers following similar programs note that support teams typically move toward pre-enrollment guidance, recovery key education, and hardware-distribution channels when account recovery paths are narrowed. The Yubico partnership is an example of a vendor-channel approach to lower the friction of obtaining hardware keys.

Editorial analysis: Practitioners should watch adoption signals among high-risk user groups, the frequency of lockouts reported after enrollment, and whether third-party tooling or enterprise identity providers integrate passkey and security-key workflows with OpenAI accounts. Also monitor guidance and educational materials from OpenAI and Yubico on key provisioning, backup passkey workflows, and incident response for locked accounts.