Journalists, elected officials, researchers, and political dissidents have spent years adapting their accounts to phishing-resistant authentication on consumer platforms. ChatGPT now joins that list. OpenAI has introduced Advanced Account Security, an opt-in setting that strips password-based sign-in from ChatGPT and Codex accounts and replaces it with passkeys or physical security keys.
What enrollment changes
Enrolled accounts use passkeys or hardware security keys for sign-in, with password login disabled. Email and SMS account recovery are removed, closing a path attackers commonly exploit when a victim’s phone number or inbox has been compromised. Recovery is limited to backup passkeys, security keys, and recovery keys held by the user. Once a user enrolls, OpenAI Support cannot assist with recovery, placing responsibility for backup credentials on the account holder.
Sign-in sessions are shortened to limit exposure if a device or active session is compromised. The setting covers ChatGPT and Codex under the same login, so a single enrollment carries across both products.
Conversations from accounts with the setting enabled are excluded from model training automatically. The default opt-out targets users handling sensitive personal or professional material who want assurance that their inputs stay out of training data without managing the preference manually.
Yubico partnership and FIDO support
OpenAI has partnered with Yubico to offer preferred pricing on a bundle of two YubiKeys aimed at the new security setting. The bundle includes the YubiKey C Nano, designed to remain seated in a laptop port for daily authentication, and the YubiKey C NFC for backup and cross-device use across laptops and mobile devices.
Users are free to use any FIDO-compliant security key or software-based passkeys. The setting follows the same standards already adopted by Google, Microsoft, GitHub, and other vendors that built phishing-resistant authentication around the FIDO2 and WebAuthn specifications.
Mandatory enrollment for Trusted Access for Cyber
“Individual members of Trusted Access for Cyber accessing our most cyber capable and permissive models will be required to enable Advanced Account Security beginning June 1, 2026. Organizations with trusted access can, as an alternative, attest that they have phishing resistant authentication as part of their single sign-on workflow,” OpenAI explained.
Download: Automating Pentest Delivery Guide
