OpenAI Introduces Advanced Account Security for ChatGPT

Per OpenAI's April 30, 2026 blog post, OpenAI introduced Advanced Account Security (AAS), an opt-in security tier for consumer ChatGPT accounts that also applies to Codex accounts accessed through the same login. Per OpenAI's product help article, AAS replaces password sign-in with phishing-resistant methods by requiring passkeys or FIDO-compatible hardware security keys, and it disables password-based login and email or SMS account recovery. Per OpenAI's help center, enrolling requires saving recovery keys and adding at least two secure sign-in methods, including one that works across devices, and the enrollment flow signs the user out of all devices.

Per TechCrunch, OpenAI announced a partnership with Yubico and will offer co-branded YubiKey bundles to users; TechCrunch quoted Yubico CEO Jerrod Chong: "Ultimately, our intent is to drastically reduce the threat of unauthorized access to sensitive data in OpenAI accounts worldwide." Per Wired, enabling AAS prevents users from seeking account recovery help from OpenAI support because support no longer has access or control over the stronger recovery options. Per OpenAI's help documentation, AAS is not available for ChatGPT Enterprise users, enterprise-managed accounts, or accounts associated with enterprise-managed domains.

Industry-pattern observations: moving from passwords to passkeys and FIDO-backed hardware keys is a well established way to reduce successful phishing and credential-theft attacks. Requiring multiple cross-device authentication factors and disabling SMS/email recovery significantly reduces account takeover risk but increases the operational burden on users and administrators to securely store recovery keys. Hardware keys and passkeys provide cryptographic proofs of possession and are resistant to common remote attack vectors that defeat passwords and one-time SMS codes.

Industry observers note major consumer platforms already offer enhanced protection tiers to high-risk users, and Wired explicitly compared OpenAI's AAS to Google's Advanced Protection program. The addition of purchasable YubiKey bundles, reported by TechCrunch, addresses a common availability friction for hardware keys but leaves pricing and distribution details to watch. For security teams and high-value users, the tradeoff is the familiar one between stronger, phishing-resistant authentication and the risk that lost keys or unretrievable recovery keys mean permanent account loss.

For practitioners and observers: whether OpenAI broadens availability beyond eligible personal accounts and how workspace-linked or mixed-managed accounts behave; adoption metrics among high-risk user groups such as journalists and researchers; pricing and shipping details for the Yubico bundles; the frequency and nature of account recovery support requests after rollout; and any changes in enterprise policies that affect whether AAS can be enabled for corporate-managed identities.

If you support high-risk users or manage identity for teams that use ChatGPT, monitor the help center guidance OpenAI published for enrollment requirements and retention of recovery keys. Industry best practices for passkey and hardware key management, secure key backups, and offline storage apply directly to users who opt into AAS.