San Francisco, CA — OpenAI has introduced Advanced Account Security, a new protection layer for ChatGPT and Codex that eliminates passwords entirely and replaces them with phishing-resistant authentication methods. The move comes as AI accounts increasingly store sensitive personal and professional data, making them prime targets for cyberattacks. 

The feature is optional but designed for users who want maximum security—or face higher risks like journalists, researchers, and public figures.

No Passwords. No SMS. No Weak Links.

With Advanced Account Security enabled, OpenAI removes the weakest parts of traditional login systems:

• ❌ No password-based login

• ❌ No email or SMS account recovery

• ❌ No support-assisted recovery

Instead, users must rely on:

• ✅ Passkeys (device-based cryptographic login)

• ✅ Physical security keys (like hardware tokens)

• ✅ Backup recovery keys

👉 This makes account takeover attacks extremely difficult, especially phishing-based attacks. 

Built to Stop the Most Common Attacks

Most cyberattacks today rely on:

• Stolen passwords

• Phishing emails

• SIM swap attacks

OpenAI’s approach directly targets these vulnerabilities by making phishing-resistant authentication mandatory for protected accounts. 

Even if an attacker gains access to your email or phone number, they still can’t access your account without the physical key or passkey.

Stricter Recovery — Even OpenAI Can’t Help You

One of the boldest changes:

👉 OpenAI support cannot recover your account if you lose access

This is intentional.

Why?

• Prevents attackers from exploiting customer support (a common hacking method)

• Eliminates social engineering attack vectors

But it also means:

⚠️ Users must carefully manage their recovery keys and backups

Shorter Sessions, More Visibility

Advanced Account Security also introduces tighter session controls:

• Shorter login sessions to reduce exposure

• Real-time alerts for new logins

• Full visibility into active sessions across devices 

👉 You always know where your account is being used—and can act quickly

Your Data Is Automatically Protected

Another important change:

👉 Conversations are excluded from model training by default

This is especially useful for users handling:

• Sensitive business data

• Personal or confidential information

• Security-related workflows 

Hardware Keys Go Mainstream (With Yubico Partnership)

To support this shift, OpenAI has partnered with Yubico to offer:

• Hardware security keys (YubiKeys)

• Discounted bundles for users

These keys act as a physical layer of protection, widely considered the gold standard in cybersecurity. 

Mandatory for High-Security Programs

OpenAI is going further:

• Users in its Trusted Access for Cyber program must enable Advanced Account Security starting June 1, 2026

• Enterprises can alternatively use phishing-resistant SSO systems 

OpenAI’s Advanced Account Security is a bold step forward:

👉 No passwords. No shortcuts. Maximum protection.

It may add friction—but in exchange, it delivers one of the strongest account security models available today, setting a new standard for how AI platforms protect users.