OpenAI Introduces Advanced Account Security with Passkeys and Hardware Keys
OpenAI has activated Advanced Account Security, an advanced security option for ChatGPT and Codex that eliminates password-based authentication. The system requires the use of passkeys or hardware security keys, drastically reducing the risks of phishing and unauthorized access. The new feature was designed for high-risk users, including journalists, researchers, and political dissidents.
Quick Answer
- Advanced Account Security replaces passwords with passkeys or hardware keys
- Disables email/SMS recovery, limiting recovery to backup passkeys and security keys
- Login sessions are shortened to limit exposure in case of compromise
- Users' conversations with the option enabled are excluded from model training
- Adoption will be mandatory for Trusted Access for Cyber members as of June 1, 2026
Changes to Sign-Up and Security Improvements
Registered accounts use exclusively passkeys or hardware security keys for access, with permanent password disabling. This approach eliminates recovery via email and SMS, two common avenues exploited by attackers when a user's phone number or email is compromised. Recovery is limited to backup passkeys, security keys, and physical recovery keys owned by the user.
Once the option is enabled, OpenAI can no longer assist with account recovery, entirely shifting the responsibility of managing backup credentials to the user. Login sessions have been shortened to reduce exposure time in case of device or active session compromise. The setup covers both ChatGPT and Codex under the same login system, simplifying security management for users utilizing both services.
Conversations Excluded from Model Training
Users' conversations who have enabled Advanced Account Security are automatically excluded from OpenAI model training. This default setting aims to protect users handling sensitive personal or professional information, ensuring their inputs will not be used to improve language models.
Collaboration with Yubico and FIDO Support
OpenAI has partnered with Yubico to offer preferential pricing on a bundle of two YubiKeys specifically designed for Advanced Account Security. The bundle includes the YubiKey C Nano, ideal for daily authentication on laptops, and the YubiKey C NFC, useful for backup and use on mobile devices.
Users can still use any FIDO-compliant security key or software-based passkeys. OpenAI's solution follows the same standards adopted by Google, Microsoft, and GitHub, based on FIDO2 and WebAuthn specifications for phishing-resistant authentication.
Mandatory Adoption for Trusted Access for Cyber
As of June 1, 2026, individual members of Trusted Access for Cyber accessing OpenAI's most advanced and permissive models will be required to enable Advanced Account Security. Organizations with trusted access can alternatively attest to having phishing-resistant authentication as part of their single sign-on workflow.
Implications for Account Security
The adoption of this new feature represents a significant step toward account security on sensitive platforms. By eliminating passwords and relying on more robust authentication methods, OpenAI drastically reduces the risk of breaches related to compromised credentials. This is particularly relevant for users handling sensitive information, offering an additional layer of protection against increasingly sophisticated cyberattacks.
Comparison with Other Security Solutions
Advanced Account Security aligns with current trends in cybersecurity, where password-based authentication is progressively being replaced by more secure methods. OpenAI's choice to adopt passkeys and hardware security keys reflects a proactive security strategy, in line with practices of other major tech companies. This approach not only enhances individual user security but also contributes to establishing new standards for secure authentication in cloud-based applications.
Considerations for Users
For ChatGPT and Codex users, enabling Advanced Account Security requires careful planning. It is essential to ensure access to multiple backup passkeys or security keys, preferably of different types to guarantee availability in case of loss or malfunction. Users should also consider the impact on their daily access routine, adapting to the use of physical devices for authentication.
For those handling sensitive information, the automatic exclusion of conversations from model training represents a significant advantage. However, it is important to be aware that this setting is not reversible without completely disabling Advanced Account Security. Users should therefore carefully weigh the pros and cons before proceeding with adoption.
Impact on Privacy and Regulatory Compliance
The automatic exclusion of conversations from model training raises important privacy questions. OpenAI thus aligns with the strictest regulations such as the European GDPR, which requires transparent and controlled handling of personal data.
This move could encourage other platforms to adopt similar practices, fostering a broader shift toward privacy-focused AI development.
The Future of Secure Authentication
OpenAI's move could accelerate the adoption of FIDO2 and WebAuthn standards in other sectors. If this practice spreads, we might witness a gradual abandonment of traditional passwords in favor of more secure and convenient authentication methods.
This transition could also influence the development of new authentication technologies, such as advanced biometric solutions or blockchain-based methods. Tech companies might be pushed to innovate to offer even more secure and user-friendly alternatives.
Conclusions
Advanced Account Security represents a significant step toward a passwordless future. As technology continues to evolve, we are likely to see more platforms adopting similar authentication methods. For users, this means higher security levels but also the need to adapt to new access methods.
Organizations and individual users should take advantage of this opportunity to review their security practices and adopt proactive measures to protect their accounts. With mandatory adoption scheduled for 2026, the time to prepare is now, and investing in robust authentication solutions could prevent potential issues in the future.
Additional Resources
For more information on account security and the use of passkeys, you can consult OpenAI's official guide on Advanced Account Security. Additionally, the Automating Pentest Delivery Guide provides insights into improving cybersecurity through automated penetration testing.
Editorial Note and Disclaimer
The guides and content published on GoYou are the result of independent research and analysis activities, for informational, educational, and in-depth purposes.
GoYou does not constitute a journalistic publication or an editorial product pursuant to Law No. 62/2001 and does not perform real-time information activities.
The GoYou project does not provide professional, technical, legal, or financial advice and disclaims any liability for the improper use of the information published.
In the Crypto sector, every investment involves risks: the reader is invited to always inform themselves autonomously before making any decision.