OpenAI introduces hardware security keys for ChatGPT in collaboration with Yubico and has disabled password-based login for users deemed high-risk.

      OpenAI has introduced Advanced Account Security for ChatGPT and Codex, an opt-in feature that substitutes passwords with passkeys or hardware security keys, disables recovery via email and SMS, and automatically opts users out of model training. In collaboration with Yubico, the company is offering co-branded YubiKeys for $68 (two-pack), which is less than half of the retail price. This feature is aimed at journalists, dissidents, and officials, and will become mandatory for members of Trusted Access for Cyber by June 1.

      OpenAI's security enhancement for ChatGPT accounts is akin to how banks secure online banking: it employs hardware keys, eliminates passwords, removes email recovery, and does not provide customer support if users lose access. The Advanced Account Security feature is an opt-in option that requires users to log in using two passkeys, two hardware security keys, or one of each. Once activated, traditional password-based login is permanently disabled, and account recovery via email or text message is no longer feasible. OpenAI has teamed up with Yubico, a hardware authentication company, to offer co-branded YubiKeys in a $68 bundle, significantly below the retail price of $126. This feature is accessible to all users, including those on the free plan. It is tailored for journalists, political dissidents, researchers, and elected officials, acknowledging that for a growing number of individuals, a ChatGPT account contains more sensitive information than email.

      What it does

      Advanced Account Security replaces conventional login and recovery methods with cryptographic authentication. Users who activate this feature must register two separate credentials, which can include passkeys on their device, YubiKeys, other FIDO2-compliant tokens, or combinations thereof. Each credential creates a unique cryptographic key pair that remains on the device, ensuring that there are no passwords to steal, no one-time codes to intercept, and no recovery emails that attackers can exploit via social engineering. OpenAI explicitly states that its support team cannot restore access to accounts secured by Advanced Account Security if users lose both credentials. During setup, a recovery key is issued, but if that key is lost as well, account recovery is impossible. This system utilizes the zero-trust principles found in classified government systems and cryptocurrency wallets, applied to a consumer-focused chatbot.

      Several additional protections accompany this feature. Sign-in sessions are shorter, minimizing the time a stolen session token could be misused. Users receive notifications for each new login and can review and terminate active sessions within their account settings. Moreover, opting into Advanced Account Security automatically excludes users from model training, ensuring their interactions will not be used to enhance future ChatGPT versions. This aspect is significant as it links top-tier account security with maximum data privacy, creating a user category whose interactions with the system are both cryptographically secured and contractually excluded from OpenAI’s training processes. For users managing sensitive information, this dual focus addresses two critical concerns.

      Why it matters

      This security enhancement comes at a time when its necessity is clear. In 2024, cybersecurity firm Group-IB revealed over 100,000 stolen ChatGPT credentials available on dark web marketplaces, obtained from devices infected with information-stealing malware. These credentials allowed buyers full access to victims’ chat histories, which often contained confidential work discussions, personal inquiries, and sensitive information that could be damaging if disclosed. A separate breach involving Mixpanel, a third-party analytics provider, revealed ChatGPT usernames, email addresses, and technical metadata that could facilitate targeted phishing attacks. The industry's shift towards passwordless authentication stems from the understanding that passwords constitute the largest attack surface in consumer technology: research suggests that approximately 46% of successful cyberattacks on small and medium businesses in 2026 will stem from credential reuse.

      The unique vulnerability of ChatGPT accounts lies in their content. An email account holds messages, a bank account contains transaction records, while a ChatGPT account includes the unfiltered questions individuals pose in private: medical inquiries, legal concerns, relationship issues, business tactics, proprietary code, and conversations with an AI that retains context across sessions. OpenAI’s Codex Chronicle feature, which takes periodic screenshots of a user's desktop to transmit to OpenAI’s servers for processing, raises data stakes for users who opt in. The company is simultaneously increasing the volume of sensitive information its products gather and developing a security framework to safeguard it. Advanced Account Security represents the protective aspect of that framework.

      The Yubico deal

      The collaboration with Yubico serves both commercial and strategic purposes. The two co-branded products, the YubiKey C NFC and YubiKey C Nano, are identical to Yubico's existing offerings but feature OpenAI branding and are available through OpenAI's channels at a reduced price. The C NFC model is compatible with USB-C and near-field communication, making it usable with laptops, phones, and tablets. The C Nano model is small enough to remain permanently in a USB-C port. Both support FIDO2,