OpenAI Introduces Advanced Account Security for ChatGPT and Codex Users

OpenAI unveiled an optional security tier on Thursday that adds a robust layer of protection for ChatGPT and Codex accounts deemed high‑risk. Dubbed Advanced Account Security, the feature forces users to abandon traditional passwords in favor of two physical security keys or passkeys, dramatically reducing the likelihood of phishing‑based takeovers.

The move mirrors Google’s long‑standing Advanced Protection program and comes as AI services expand into more personal and mission‑critical workflows. "People are turning to AI for deeply personal questions and increasingly high‑stakes work," the company wrote in a blog post. "For some, like journalists, elected officials, political dissidents, researchers, and those especially security‑conscious, the stakes are even higher."

Key features of Advanced Account Security

When enabled, the new tier removes password‑based login entirely. Users must register two hardware security keys—such as YubiKey devices—or compatible passkeys. Email and SMS recovery routes disappear; instead, account recovery relies on recovery keys, backup passkeys, or additional physical keys. OpenAI also shortened session lifetimes, prompting users to re‑authenticate more frequently.

Alert notifications appear on the dashboard whenever a new device signs in, giving account owners a clear view of active sessions. The feature automatically opts users out of having their conversations used for model training, a privacy safeguard that is enabled by default for those on the advanced tier.

Support staff lose the ability to intervene in account recovery, a deliberate design choice meant to prevent attackers from exploiting support channels through social engineering. "When a user turns on Advanced Account Security, they can no longer seek help from OpenAI’s support team for account recovery," the blog explained, underscoring the zero‑trust approach.

OpenAI has teamed with Yubico to provide lower‑cost YubiKey bundles for users who adopt the new security level. The partnership aims to lower the barrier for individuals and organizations that need phishing‑resistant authentication without a hefty price tag.

Members of OpenAI’s Trusted Access for Cyber program—researchers, cybersecurity professionals and other vetted participants—must enable Advanced Account Security by June 1, or submit an alternative attestation proving they use enterprise single sign‑on with phishing‑resistant authentication.

The rollout is part of a broader cybersecurity strategy announced earlier this month, reflecting growing concerns about credential theft as AI tools become embedded in news platforms, corporate workflows, and public services. By tightening access controls, OpenAI hopes to protect the sensitive personal and professional context that can accumulate in a single ChatGPT account.

While the feature is optional for most users, OpenAI’s messaging suggests it will become the default for users with elevated risk profiles. The company says the new tier is a step toward a more secure AI ecosystem, where the convenience of conversational agents does not come at the expense of user safety.