ChatGPT advanced account security adds passkeys and hardware keys

Source: Help Net Security

Author: Anamarija Pogorelec

URL: https://www.helpnetsecurity.com/2026/05/04/openai-chatgpt-advanced-account-security/

ONE SENTENCE SUMMARY:

OpenAI’s Advanced Account Security makes ChatGPT/Codex logins phishing-resistant via passkeys/security keys, tighter sessions, no support recovery, and training exclusion.

MAIN POINTS:

1. OpenAI launched an opt-in Advanced Account Security setting for ChatGPT and Codex accounts.
2. Enabling it disables password-based sign-in, requiring passkeys or physical security keys.
3. Removing passwords reduces susceptibility to phishing and credential-stuffing attacks.
4. Email and SMS recovery are eliminated to prevent takeover via compromised inboxes or phone numbers.
5. Account recovery relies only on user-held backup passkeys, security keys, and recovery keys.
6. OpenAI Support cannot restore access after enrollment, shifting recovery responsibility to users.
7. Shorter sign-in sessions limit exposure from stolen devices or hijacked active sessions.
8. One enrollment applies across both ChatGPT and Codex under the shared login.
9. Conversations from enrolled accounts are excluded from model training automatically.
10. Trusted Access for Cyber individuals must enable it by June 1, 2026, or use phishing-resistant SSO attestation.

TAKEAWAYS:

1. Prioritize multiple backup authentication factors before enabling to avoid permanent lockout.
2. Eliminating SMS/email recovery closes common account takeover routes tied to SIM-swaps and inbox compromise.
3. FIDO2/WebAuthn-based methods align ChatGPT security with major platforms’ phishing-resistant standards.
4. Hardware key bundles (e.g., dual YubiKeys) support primary-plus-backup operational resilience.
5. Security-sensitive users gain default assurance their chats won’t be used for training without manual settings.