OpenAI introduces hardware security keys for ChatGPT in collaboration with Yubico and has discontinued password login for users deemed high-risk.

      OpenAI has introduced Advanced Account Security for ChatGPT and Codex, an optional feature that substitutes passwords with passkeys or hardware security keys. It disables email and SMS recovery and automatically opts users out of model training. In collaboration with Yubico, co-branded YubiKeys are offered for $68 (two-pack), a price significantly lower than retail. This feature is aimed at journalists, dissidents, and officials, and will become mandatory for members of the Trusted Access for Cyber program by June 1.

      The new security feature is designed for ChatGPT accounts, implementing hardware keys instead of passwords, eliminating email recovery options, and refraining from customer support assistance in case users lose access. Named Advanced Account Security, this opt-in feature necessitates users to authenticate using two passkeys, two hardware security keys, or a combination of the two before accessing ChatGPT or Codex. Once activated, traditional password login will be permanently disabled, and account recovery via email or text will no longer be available. OpenAI has partnered with Yubico to provide co-branded YubiKeys at a bundled price of $68, which is less than half the retail price of $126. This feature is accessible to all users, including those on the free tier, and is particularly beneficial for journalists, political dissidents, researchers, and elected officials. This initiative reflects the increasing sensitivity of information contained within ChatGPT accounts, now seen as more sensitive than emails by many users.

      Advanced Account Security eliminates conventional login and recovery methods by using cryptographic authentication. Users opting in must register two separate credentials—either passkeys stored on their device, YubiKeys, or other FIDO2-compliant hardware tokens. Each credential creates a unique cryptographic key pair that stays on the device, eliminating the risk of stolen passwords, intercepted one-time codes, or compromised recovery emails. OpenAI has clearly communicated that if a user loses both credentials, its support team cannot restore access. A recovery key is provided during setup, but if this key is lost too, the account becomes irretrievable. This approach is derived from zero-trust principles that safeguard classified government systems and cryptocurrency wallets, now applied to consumer use.

      The feature includes additional protective measures. Sign-in sessions are shortened to limit the duration that a stolen session token could be misused. Users receive notifications for every new login and can view and end active sessions from their account settings. Enabling Advanced Account Security automatically opts users out of model training, ensuring their dialogues won't contribute to future ChatGPT improvements. This connection between top-level account protection and data privacy creates a user tier where interactions are cryptographically secured and excluded from OpenAI's training pipeline, addressing two major concerns for those handling sensitive information.

      The rollout of this security enhancement comes at a critical time. In 2024, Group-IB, a cybersecurity firm based in Singapore, reported over 100,000 stolen ChatGPT credentials being sold on dark web marketplaces, sourced from infected devices. Buyers of these credentials gained unrestricted access to the victims' chat histories, which could involve confidential work discussions, personal inquiries, and sensitive information at risk of exposure. Additionally, a breach involving Mixpanel, a third-party analytics provider, revealed ChatGPT usernames, email addresses, and technical metadata that could fuel targeted phishing efforts. The broader industry trend towards passwordless authentication stems from the understanding that passwords represent a major vulnerability in consumer technology, with estimates indicating that by 2026, at least 46% of successful cyberattacks on small and medium businesses will stem from credential reuse.

      What makes ChatGPT's vulnerability unique is the nature of its accounts. An email account contains messages and a bank account holds transaction records, while a ChatGPT account comprises unfiltered queries a user might pose in privacy: medical inquiries, legal concerns, relationship issues, business strategies, proprietary coding, and AI discussions with retained context. Furthermore, OpenAI’s Codex Chronicle feature, which occasionally takes screenshots of a user’s screen and sends them to OpenAI’s servers for processing, raises the stakes for users choosing to opt in. OpenAI is simultaneously increasing the amount of sensitive data it collects while enhancing the security measures to safeguard that information. Advanced Account Security represents the protective aspect of this initiative.

      The partnership with Yubico serves both commercial and strategic purposes. The co-branded YubiKey C NFC and YubiKey C Nano products are identical to Yubico's standard offerings but come with OpenAI branding and are available at a reduced price through OpenAI's channels. The C NFC model supports USB-C and NFC, making it compatible with laptops, smartphones, and tablets, while the C Nano is compact enough to remain in a USB-C port at all times. Both models support FIDO2, the authentication standard established by the FIDO Alliance, which is endorsed by major companies like Apple, Google, and Microsoft. The $68 bundle for two keys offers a significant discount, as a single YubiKey C NFC retails