OpenAI Launches Advanced Account Security with Mandatory Hardware Key Support
OpenAI has introduced an opt-in "Advanced Account Security" feature for ChatGPT and Codex that mandates phishing-resistant authentication via passkeys or hardware security keys while disabling traditional password-based logins.

OpenAI has launched a new opt-in feature called "Advanced Account Security" designed to provide enhanced protection for ChatGPT and Codex accounts. This initiative targets high-risk users, including journalists, researchers, political dissidents, and elected officials, who frequently handle sensitive professional or personal information SecurityWeek. The feature aims to mitigate the risk of account takeovers by shifting away from traditional, phishable authentication methods toward more robust, hardware-backed security standards Help Net Security.
The core of the new security model is the complete removal of password-based logins. Once enabled, users must authenticate exclusively through FIDO-compliant physical security keys or passkeys Help Net Security. To support this transition, OpenAI has partnered with Yubico to offer discounted bundles featuring the YubiKey C Nano and YubiKey C NFC, though users remain free to utilize any FIDO-compliant hardware or software-based passkeys Help Net Security.
Account recovery processes have also been overhauled to eliminate common attack vectors. Traditional recovery methods, such as email and SMS, have been replaced by a system relying on backup passkeys, recovery keys, and physical security keys SecurityWeek. OpenAI explicitly warns that once these advanced protections are activated, its support team will no longer be able to assist with account recovery, placing the full responsibility for credential management on the user Help Net Security.
Beyond authentication, the feature introduces stricter session management. Sign-in sessions are automatically shortened to minimize the window of opportunity for attackers in the event of a device or session compromise SecurityWeek. Additionally, users gain improved visibility into their account activity, with alerts for new logins and tools to manage active sessions SecurityWeek. As a privacy-focused benefit, accounts enrolled in this program are automatically excluded from having their conversations used to train OpenAI’s AI models Help Net Security.
While the feature is currently optional for most users, OpenAI is making it mandatory for specific groups. Starting June 1, 2026, members of the "Trusted Access for Cyber" program who access the company’s most capable models will be required to enable Advanced Account Security Help Net Security. Organizations participating in this program may alternatively attest that they have already implemented phishing-resistant authentication within their own single sign-on (SSO) workflows Help Net Security.
This rollout reflects a broader industry trend toward adopting FIDO2 and WebAuthn specifications to combat sophisticated phishing and credential-stuffing attacks Help Net Security. By aligning with the security practices already established by major platforms like Google, Microsoft, and GitHub, OpenAI is attempting to harden its ecosystem against the types of targeted threats that have previously impacted its infrastructure, including supply chain vulnerabilities and unauthorized access attempts SecurityWeek.