OpenAI launches Advanced Account Security for ChatGPT with hardware keys and Yubico partnership

OpenAI announces new advanced security for ChatGPT accounts, including a partnership with Yubico | TechCrunch

OpenAI is getting serious about account security. The company on Thursday launched Advanced Account Security, a set of opt-in protections for ChatGPT users designed for high-value individuals -- but available to anyone who wants them. As part of that new program, digital security provider Yubico announced it has partnered with OpenAI to link two new security key products to ChatGPT accounts. The company said the partnership was designed to protect users from the threat of phishing, which is considered to be a growing threat for chatbot users. The two companies are releasing a pair of "co-branded" YubiKeys -- dubbed the YubiKey C NFC and the YubiKey C Nano. OpenAI has suggested that AAS is a good fit for political dissidents, journalists, researchers, and elected officials -- people who engage in politically charged and risky work. One would assume that it might make sense for enterprise users, whose corporate secrets are squirreled away in ChatGPT sessions. "Ultimately, our intent is to drastically reduce the threat of unauthorized access to sensitive data in OpenAI accounts worldwide," Yubico CEO Jerrod Chong said in press release announcing the deal. Security keys are small pieces of hardware that can be tied to digital accounts and enacted through a computer's USB ports. A unique cryptographic identifier lives on the key, which allows only the person in possession of it to log into a connected account. If the threat of phished ChatGPT accounts may seem somewhat abstract, there is a growing body of literature showing that bad actors are increasingly targeting chatbot users. Cybercriminals are always on the lookout for extortion-worthy information and, given the intimate nature of most chatbot conversations, there is plenty of fodder when it comes to both enterprise and personal-level users. Digital security is also becoming a bigger focus of the AI industry. Several weeks ago, Anthropic announced a new cybersecurity model called Mythos. Perhaps seeking to steal some of its competitor's thunder, OpenAI has also made a number of announcements related to digital security. Thursday's news of the Yubico partnership followed OpenAI's announcement that it's launching a new framework for digital defense. Of course, a security-key-enabled account does offer stronger protection, but it comes with a tradeoff: if the key is lost, OpenAI won't be able to help recover access. In practice, that means conversations could be lost for good.

OpenAI Rolls Out 'Advanced' Security Mode for At-Risk Accounts

For anyone who fears their ChatGPT and Codex accounts might be targeted by attackers, OpenAI announced on Thursday that it is adding an optional new level of account protection that adds an extra layer of security. Dubbed Advanced Account Security, the feature enforces strict access controls that would make account takeover attacks very difficult. Such measures are not a new idea in the realm of account security. Google, for example, has offered its Advanced Protection account security tier for nearly a decade. But as mainstream AI services rapidly proliferate around the world, there is a pressing need for an array of basic protections to be put in place. OpenAI says the launch is part of its broader cybersecurity strategy announced earlier this month. "People are turning to AI for deeply personal questions and increasingly high-stakes work," the company said on Thursday in a blog post. "Over time, a ChatGPT account can hold sensitive personal and professional context, and sit at the center of connected tools and workflows. For some people, like journalists, elected officials, political dissidents, researchers, and those who are especially security-conscious, the stakes are even higher." People who enable Advanced Account Security can no longer use regular passwords on their accounts. Instead, they must add two physical security keys or passkeys to significantly reduce the risk of successful phishing attacks. The feature also eliminates email and SMS texts and routes for doing account recovery. Instead, users must use recovery keys, backup passkeys, or physical security keys. OpenAI says it has partnered with Yubico to offer lower-cost YubiKey bundles to Advanced Account Security users. Crucially, when a user turns on Advanced Account Security, they can no longer seek help from OpenAI's support team for account recovery, because support no longer has access or control over any of the recovery options. This way, attackers can't attempt to break into accounts by targeting support portals with social engineering attacks. Advanced Account Security also enforces shorter sign-in windows and sessions before a user has to log in again on a device. And it produces alerts anytime someone logs in to the locked down account, pointing to the dashboard for reviewing active ChatGPT and Codex sessions. Additionally, while OpenAI offers the option for any user to opt out of having their ChatGPT conversations used for model training, this exclusion is on by default for Advanced Account Security users. Members of OpenAI's Trusted Access for Cyber program, which gives cybersecurity professionals, researchers, and others advanced access to new models, will be required to enable Advanced Account Security beginning on June 1 or submit an alternative attestation that they implement phishing-resistant authentication through an enterprise single sign-on mechanism.

OpenAI's Advanced Account Protection Dumps Passwords for Security Keys

To stop the most determined hackers, OpenAI is introducing a new security mode for ChatGPT and Codex accounts that ditches traditional passwords for more secure alternatives. The opt-in setting is called "Advanced Account Security," and features hardware security keys and software-based passkeys for account logins. The company is rolling out the new mode via ChatGPT's web interface in Settings > Security, which leads users to a page that outlines the pros and cons of the feature, along with a 3-step process to enroll. The new setting -- also available at chatgpt.com/advanced-account-security -- doesn't require hardware-based security keys. However, the enrollment process includes a discounted custom bundle from security maker Yubico that offers two hardware security keys for $68, including the YubiKey C NFC and YubiKey C Nano. Security keys from other vendors are also supported. OpenAI designed the mode for "people at increased risk of digital attacks," which could include government officials, corporate executives, researchers, and human rights activists. The Advanced Account Security works by making a user's account resistant to phishing messages, password guessing, and SIM swap attacks, which is how hackers usually crack online accounts. The new security mode dumps the traditional login option via email address and passwords, which hackers can steal to break in. In addition, OpenAI's advanced security mode disables the account recovery route through email and text-based SMS codes, which can also be phished. Users must instead login through a hardware key -- a physical USB device -- or a software-based passkey, which resides on a device, whether it's a PC or smartphone. Neither security system can be stolen through a remote digital hack, making them a more secure alternative to traditional passwords. The new security mode is similar to Google's Advanced Protection Program, which dates back to 2017 and required users to own two hardware security keys (one Bluetooth, one USB) before the company expanded support for passkeys. Google introduced the program over a year after Russian state-sponsored hackers used a spear-phishing email attack to break into the Gmail account of John Podesta, chair of Hillary Clinton's 2016 presidential campaign. OpenAI says its advanced security program is not a response to a hacking incident but intended to preempt future threats. Both ChatGPT and OpenAI's coding product, Codex, have been gaining wide-scale adoption and can handle sensitive details, including users' personal chats and confidential work projects. "For some people, like journalists, elected officials, political dissidents, researchers, and those who are especially security-conscious, the stakes are even higher," OpenAI notes. Of course, the new security mode comes with some trade-offs, especially for account recovery. OpenAI's Advanced Account Security is so locked down that the company itself won't be able to recover your account if you lose the hardware security keys or passkeys. That's why its enrollment process requires you to use at least two hardware security keys, or one hardware security key and one software-based passkey, with the extra key serving as a backup. Users can also enroll with two software-based passkeys, but one of them must be synced to the cloud via Google Password Manager or Apple's iCloud Keychain. For account recovery, OpenAI will issue backup recovery keys during enrollment. These strings of digits are meant to be stored in a safe place, enabling the user to recover their account on their own if all security keys and passkeys are lost. Another notable trade-off is that "sign-in sessions are shortened to reduce the window of exposure if a device or active session is compromised," the company says. So you'll probably need to log back in more frequently. OpenAI notes the security key bundle includes the YubiKey C Nano, which is "designed to stay in your laptop for simple, low-friction daily authentication." Logging back in with a passkey is also easy, since it's saved on the device. Advanced Account Security doesn't totally eliminate all hacking threats. For example, while a malware infection can't steal a passkey, let alone a hardware security key, the attack could still pave the way for a hacker to remotely hijack a computer, including its browser sessions. Another obvious attack vector is if your computer is stolen or seized by government authorities. Perhaps in response, OpenAI's new security mode lets you review and manage all active sessions across your account, giving you a way to see and disconnect devices that've logged in to your account. Users will also receive alerts when someone logs in to their account. In addition, Advanced Account Security automatically opts users out of exposing their data to AI model training, which can also be switched off by going to Settings > Data controls. If Advanced Account Security proves to be inconvenient, users can deactivate the feature. OpenAI also lets users pick and choose which extra safeguards they adopt; ChatGPT offers passkeys, hardware security key support, and multi-factor authentication in account settings.

OpenAI launches hardware security keys for ChatGPT with Yubico partnership and disables password login for high-risk users

OpenAI has released a security feature for ChatGPT accounts that treats them the way banks treat online banking: hardware keys, no passwords, no email recovery, and no help from customer support if you lose access. The feature, called Advanced Account Security, is an opt-in setting that requires users to authenticate with two passkeys, two hardware security keys, or one of each before they can log in to ChatGPT or Codex. Once enabled, password-based login is permanently disabled, and recovering an account through email or text message is no longer possible. OpenAI has partnered with Yubico, the Swedish-American hardware authentication company, to sell co-branded YubiKeys bundled for $68, less than half the $126 retail price. The feature is available to everyone, including users on the free tier. The company says it is designed for journalists, political dissidents, researchers, and elected officials. But the fact that OpenAI built it at all is an acknowledgment that a ChatGPT account, for a growing number of people, now holds more sensitive information than their email. Advanced Account Security replaces every conventional login and recovery mechanism with cryptographic authentication. Users who enable it must register two separate credentials, choosing from passkeys stored on their device, YubiKeys or other FIDO2-compliant hardware tokens, or a combination. Each credential generates a unique cryptographic key pair that never leaves the device, which means there is no password to steal, no one-time code to intercept, and no recovery email that an attacker can compromise through social engineering. OpenAI has made the design trade-off explicit: its own support team cannot restore access to an account protected by Advanced Account Security if the user loses both credentials. The company issues a recovery key during setup, and if that key is also lost, the account is unrecoverable. The architecture is borrowed from the same zero-trust principles that protect classified government systems and cryptocurrency wallets, applied to a consumer chatbot. The feature includes several secondary protections. Sign-in sessions are shortened, reducing the window during which a stolen session token could be exploited. Users receive alerts for every new login and can view and terminate active sessions from their account settings. And enabling Advanced Account Security automatically opts the user out of model training, meaning their conversations will not be used to improve future versions of ChatGPT. That last detail is significant: it links the highest level of account protection to the highest level of data privacy, creating a tier of user whose interactions with the system are both cryptographically secured and contractually excluded from OpenAI's training pipeline. For users handling sensitive material, the combination addresses two concerns simultaneously. The security upgrade arrives in a context that makes its purpose clear. In 2024, Group-IB, the Singapore-based cybersecurity firm, identified more than 100,000 stolen ChatGPT credentials circulating on dark web marketplaces, harvested from devices compromised by information-stealing malware. Those credentials gave anyone who purchased them full access to the victim's chat history, which for many users included confidential work conversations, personal queries, and information that would be damaging if exposed. A separate breach involving Mixpanel, a third-party analytics provider, exposed ChatGPT user names, email addresses, and technical metadata that could be used for targeted phishing campaigns. The industry's broader push toward passwordless authentication has been driven by the recognition that passwords are the single largest attack surface in consumer technology: an estimated 46 per cent of all successful cyberattacks on small and medium businesses in 2026 will originate from credential reuse, according to industry research. ChatGPT's vulnerability is distinctive because of what the accounts contain. An email account holds messages. A banking account holds transaction records. A ChatGPT account holds the unfiltered questions a person asks when they believe no one is watching: medical symptoms, legal exposure, relationship problems, business strategies, code with proprietary logic, and conversations with an AI system that remembers context across sessions. OpenAI's Codex Chronicle feature, which periodically captures screenshots of a user's desktop and sends them to OpenAI's servers for processing, has made the data stakes even higher for users who opt in. The company is simultaneously expanding the volume of sensitive information its products collect and building the security infrastructure to protect it. Advanced Account Security is the protection side of that equation. The partnership with Yubico is commercial and strategic. The two co-branded products, the YubiKey C NFC and the YubiKey C Nano, are physically identical to Yubico's existing product line but carry OpenAI branding and are sold through OpenAI's channels at a subsidised price. The C NFC model supports both USB-C and near-field communication, allowing it to work with laptops, phones, and tablets. The C Nano model is small enough to remain permanently inserted in a USB-C port. Both support FIDO2, the authentication standard developed by the FIDO Alliance that underpins passkeys and is backed by Apple, Google, and Microsoft. The $68 bundle for two keys represents a meaningful discount: a single YubiKey C NFC retails for approximately $55, making the bundle effectively a buy-one-get-one offer. OpenAI's decision to subsidise hardware authentication for its users reflects a calculation about the cost of account compromises. A high-profile breach of a ChatGPT account belonging to a journalist, government official, or corporate executive would generate reputational damage that far exceeds the cost of discounted security keys. By making hardware authentication cheap and accessible, OpenAI is shifting the security burden from a password that can be phished to a physical object that must be stolen. The strategy mirrors what Google implemented internally in 2017, when the company distributed YubiKeys to all 85,000 employees and subsequently reported zero successful phishing attacks against employee accounts. OpenAI is applying the same logic to its user base, though on an opt-in rather than mandatory basis, with one exception: members of the Trusted Access for Cyber programme, which grants verified security researchers and defenders access to OpenAI's most capable cybersecurity models, will be required to enable Advanced Account Security by 1 June 2026. The deeper significance of Advanced Account Security is not the feature itself but what it implies about the category. When a company builds bank-grade security for a chatbot, it is telling you that the chatbot is no longer a toy. OpenAI now operates a six-tier subscription structure that ranges from a free ad-supported account to custom enterprise contracts, with 50 million paying subscribers and 900 million weekly active users. A meaningful fraction of those users treat ChatGPT as a primary work tool, a confidential advisor, or both. The conversations stored in those accounts are, in aggregate, one of the most valuable datasets of human intent ever assembled: what people want to know, what they are worried about, what they are building, and what they are hiding. Protecting that dataset is not a feature. It is a business requirement. The opt-in model is both a strength and a limitation. Users who need Advanced Account Security the most, dissidents in authoritarian countries, journalists investigating powerful institutions, executives discussing unreleased products, are also the users most likely to enable it. But the vast majority of ChatGPT's 900 million weekly users will never toggle the setting, which means their accounts will remain protected by whatever password they chose when they signed up, reused from another service, and have not changed since. AI-powered phishing campaigns can now generate hundreds of targeted messages per minute, each tailored to a specific victim, and the most common entry point remains a stolen or guessed password. OpenAI has built the infrastructure to protect accounts that matter. Whether the accounts that do not opt in will become the easier targets is a question the feature does not answer. What it does answer, clearly, is that OpenAI considers a ChatGPT account to be a high-value asset worth defending with the same tools used to protect state secrets and financial systems. The company that made it easy for anyone to talk to an AI has now made it possible for anyone to lock that conversation behind hardware that cannot be phished. The gap between those two populations will determine how the next wave of AI-related breaches unfolds.

You can now protect your ChatGPT account with a special USB-key

If you've ever worried about someone getting into your ChatGPT account, ChatGPT account, OpenAI has finally introduced something worth paying attention to. The company has rolled out a new opt-in feature called Advanced Account Security, and it is exactly what it sounds like. You can now lock down your account using a physical security key, which is now available to regular ChatGPT users. What happens when you turn it on The feature bundles several protections together rather than making you hunt through settings menus. Password-based login is disabled entirely and replaced by passkeys or physical security keys. Session lengths get shorter, so a stolen login can't be used indefinitely. You get alerts when someone signs into your account. And conversations from enrolled accounts are automatically excluded from model training -- no need to dig around for that toggle separately. The account recovery side is where things get serious. Email and SMS recovery are disabled, so if you lose your keys, OpenAI Support cannot help you regain access. The most common way accounts get hijacked is through compromised email or phone numbers, so cutting that off is a meaningful step up. OpenAI is partnering with Yubico to make the hardware more accessible Rather than just pointing users to Google search results, OpenAI has partnered with Yubico -- one of the most trusted names in hardware authentication -- to offer discounted bundles of YubiKeys. The bundle includes two keys: one small enough to live permanently in your laptop port, and one with NFC for mobile use. It's a smart move. The biggest barrier to hardware-based security has always been the friction of getting started, and removing the pricing hurdle helps. While this is a good initiative, here's what I really think about it. Most casual ChatGPT users probably don't need this yet. But the landscape is shifting. People are using ChatGPT for sensitive work conversations, legal research, medical questions, and business strategy. An account that holds months of that context is a valuable target. OpenAI offering this now, before a major account-breach headline forces their hand, is the right call -- and it's a sign that AI companies are starting to take security as seriously as the data they're actually holding.

OpenAI Rolls Out Advanced Account Security for ChatGPT Users - Decrypt

Enrolled accounts are excluded from model training by default. OpenAI on Thursday introduced Advanced Account Security, a new opt-in setting for ChatGPT designed for users who want stronger protection or face higher risks of digital attacks. The company said the new feature was created in response to how people are increasingly using ChatGPT to handle more sensitive and high-stakes tasks. "People are turning to AI for deeply personal questions and increasingly high-stakes work. Over time, a ChatGPT account can hold sensitive personal and professional context, and sit at the center of connected tools and workflows," OpenAI said in a statement. "For some people, like journalists, elected officials, political dissidents, researchers, and those who are especially security-conscious, the stakes are even higher." OpenAI said the feature is intended to give users more control over security and privacy while centralizing protections in one place. Available in web account settings, the feature applies to ChatGPT and Codex accounts using the same login and requires passkeys or physical security keys instead of passwords, while limiting account recovery to backup passkeys, security keys, or recovery keys, and removing email and SMS options. That means OpenAI cannot assist with account recovery if those methods are unavailable. "Using physical security keys, such as YubiKeys, is one of the strongest defenses against phishing," the company wrote. "To make that level of protection easier to access, we have partnered with Yubico, a leader in hardware-based authentication and account protection, to offer our users preferred pricing on a customized bundle of best-in-class security keys." OpenAI said it will offer a discount on a bundle that includes two keys for everyday use and backup. Users can also use other FIDO-compliant security keys or software-based passkeys. Sign-in sessions are shortened to limit exposure if a device is compromised. Users receive alerts for logins and can review active sessions across devices. The setting also changes how user data is handled. Conversations from accounts enrolled in Advanced Account Security are automatically excluded from model training. OpenAI did not immediately respond to a request for comment by Decrypt. The announcement comes as phishing attacks continue to target users with increasingly convincing scams. In March, an OpenClaw developer was lured to a phishing scam targeting crypto wallets through a fake Github account. That same month, the Bonk.fun domain was hijacked by scammers to push wallet-draining prompts. Earlier this month, a fake Ledger app stole more than $9 million from over 50 users. The Advanced Account Security rollout also includes changes for users in OpenAI's "Trusted Access for Cyber" program, which provides access to more capable and permissive models. Members of the program will be required to enable Advanced Account Security starting June 1. Organizations can instead confirm they use phishing-resistant authentication through single sign-on systems. "Privacy and security are foundational to how we build all of our products and we'll continue investing in protections that give people more control and stronger safeguards over time," OpenAI wrote. "We expect to extend this work to additional audiences, including enterprise environments, where stronger account security can matter just as much."

OpenAI Launches Advanced Security for ChatGPT Accounts

Partnership with Yubico: The AI company has partnered with Yubico to support hardware-based authentication through security keys. They will offer a customised bundle of YubiKeys at preferred pricing. While the partnership launches alongside Advanced Account Security, the hardware bundle will be available more broadly to eligible users. The system also supports other Fast Identity Online (FIDO) compliant security keys and software-based passkeys. Why this matters: India has 100 million weekly active ChatGPT users, making it one of the company's largest global markets, OpenAI CEO Sam Altman said in February 2026. This is a user base that includes journalists, researchers, and government officials for whom account security is not theoretical. These are precisely the groups OpenAI says it designed this feature for. In India, they face documented risks: the country has seen Pegasus spyware used against journalists and activists, and account compromise via phishing is a recognised threat. The timing also aligns with a broader regulatory shift. The Reserve Bank of India's (RBI's) new authentication directions for digital payments, effective April 2026, mandate moving away from SMS OTPs toward stronger verification methods, signalling a broader move away from passwords and OTPs.

OpenAI Tightens ChatGPT Security with Advanced Protection for High-Risk Users

OpenAI is rolling out advanced security protections for ChatGPT users, targeting high-risk accounts. The update introduces stronger safeguards against hacking, data leaks, and identity-based attacks. OpenAI has implemented an additional security measure for high-risk ChatGPT users. The Sam Altman-led tech firm has enhanced its security system with this update by implementing sophisticated authentication techniques and developing stronger protection against unauthorized access. The primary reason for the development is the increasing number of hacks faced by AI platforms that now process confidential discussions. The rollout demonstrates that the entire digital identity protection industry needs to develop new methods to help users secure their online identities. The need to protect accounts has become mandatory because AI tools are now essential components of both personal and professional work.