TL;DR
- Security Launch: OpenAI launched Advanced Account Security for ChatGPT on April 30 with phishing-resistant login hardware.
- Recovery Trade-Off: Enrolled users lose email and SMS recovery, and a lost key can leave chats permanently inaccessible.
- June 1 Deadline: Trusted Access for Cyber members must comply by June 1, 2026 unless their employer attests to phishing-resistant SSO.
OpenAI has launched Advanced Account Security for ChatGPT users. Under the opt-in program, phishing-resistant login hardware works with a stricter recovery model that can leave an account inaccessible after a lost credential.
OpenAI says the program is for high-risk users such as journalists, researchers, and corporate users who may keep sensitive material inside chats. OpenAI is also letting any ChatGPT user request it.
How the rollout changes ChatGPT login security
Under the rollout, security hardware keys provide stronger protection than passwords and conventional authentication methods. OpenAI also says the setting covers Codex once a user is enrolled, which turns the launch into a direct account-security change across its AI tools rather than a branding-only add-on.
OpenAI and Yubico are also offering a co-branded YubiKey C NFC bundle alongside the YubiKey C Nano, other FIDO-compliant security keys, and software passkeys. Customers get a physical credential option while still retaining broader passkey support if they do not want the branded hardware.
OpenAI used the rollout to explain why hardware keys sit at the center of the program.
“Security keys are one of the best ways to protect accounts from phishing, and Yubico has played a leading role in making that protection practical and accessible. We’ve made YubiKeys a standard part of how we protect OpenAI employees, and with Advanced Account Security, we’re making it easier for ChatGPT users to choose that same kind of phishing-resistant protection when it’s right for them.”
Dane Stuckey, Chief Information Security Officer at OpenAI (via Yubico)
The push also follows CISA’s December 2024 warning against SMS-based MFA and Microsoft’s March 2026 rollout of Entra passkeys for Windows. Together, CISA’s guidance and Microsoft’s rollout put phishing-resistant sign-in into mainstream security guidance and large-scale product rollouts before OpenAI added the same kind of protection to ChatGPT accounts.
Why the recovery trade-off matters
Enrolled users lose Email and SMS account recovery. If the key is lost, OpenAI won’t be able to help recover access. In practice, that means conversations could be lost for good.
Users storing research, client data, source material, code, or internal company discussions in ChatGPT may accept that burden more easily than casual users who still expect a routine reset path. Teams using ChatGPT as a working store for prompts, drafts, code, and notes may also need backup credentials before enrollment, because the recovery trade-off leaves less room for a last-minute reset.
OpenAI says individual members of Trusted Access for Cyber must enable Advanced Account Security starting June 1, 2026 unless their organization attests to phishing-resistant authentication through single sign-on. That deadline will show whether enterprise customers keep centralized identity controls or move more users onto OpenAI’s harder recovery model.
Yubico’s products are used in more than 160 countries, giving OpenAI a hardware partner that already has broad security deployment experience. OpenAI stays tied to established authentication hardware instead of a custom device path.
What comes next for enrolled users
June 1 now matters more than the launch language because it is the first clear checkpoint for how OpenAI applies the recovery trade-off to higher-risk customers. If the SSO exception works smoothly, security teams may keep centralized identity controls without forcing every employee onto a separate credential-recovery model inside ChatGPT.
Yubico chief executive Jerrod Chong framed the partnership as a long-term security measure.
“Ultimately, our intent is to drastically reduce the threat of unauthorized access to sensitive data in OpenAI accounts worldwide.”
Jerrod Chong, Yubico CEO
OpenAI’s next test is whether that pitch persuades users to accept stronger protection only when it comes without the usual recovery fallback. For enterprises and other high-risk customers, the trade-off is no longer theoretical once the June 2026 deadline arrives.
