ChatGPT Advanced Account Security is an opt-in protection system for consumer ChatGPT accounts that eliminates traditional password-based login entirely, replacing it with phishing-resistant hardware security keys or passkeys. OpenAI launched the feature to defend high-risk users—political dissidents, journalists, researchers, and elected officials—against account takeovers at a time when chatbot credentials are increasingly targeted by phishing campaigns.
Key Takeaways
- Advanced Account Security disables passwords, email recovery, and SMS-based authentication for enrolled accounts.
- Requires at least two secure sign-in methods, with one working across devices (passkey + hardware key, two passkeys, or two hardware keys).
- OpenAI partners with Yubico for preferred pricing on a bundle of two YubiKeys: C Nano and C NFC.
- Mandatory for Trusted Access for Cyber members accessing cyber-capable models starting June 1, 2026.
- Recovery keys are single-use, trigger a 48-hour unlock delay, and must be stored securely offline.
How ChatGPT Advanced Account Security Works
Once enrolled in ChatGPT Advanced Account Security, your account stops accepting password-based sign-in entirely. Instead, you authenticate using passkeys (software credentials stored on your device) or hardware security keys—physical USB devices that you insert to verify your identity. The system requires at least two separate sign-in methods, and at least one must work across multiple devices, preventing a single lost key from locking you out permanently.
Sign-in sessions are automatically shortened to limit exposure if your device is compromised. Additionally, conversations from accounts enrolled in Advanced Account Security are automatically excluded from OpenAI’s model training, meaning your chat history cannot be used to improve future versions of ChatGPT. This is a significant privacy win for users handling sensitive information.
The trade-off is strict: if you lose access to all your sign-in methods and recovery keys, OpenAI Support cannot help you regain access. There is no password reset, no SMS fallback, and no human intervention option. This design is intentional—it prevents social engineering attacks where a threat actor might impersonate you to OpenAI staff—but it also means you bear full responsibility for storing recovery keys safely.
Setting Up ChatGPT Advanced Account Security
Enrollment happens directly in ChatGPT on the web. Navigate to Settings, then Security, then select Advanced Account Security and choose Enroll. The setup wizard guides you through adding at least two secure sign-in methods. You can pair a passkey with a hardware security key, use two passkeys on different devices, or use two hardware keys.
The process is straightforward but requires planning. If you choose hardware keys, you will need to purchase or obtain them before enrolling. OpenAI has partnered with Yubico to offer preferred pricing on a bundle containing two keys: the YubiKey C Nano (designed to stay permanently seated in a laptop USB-C port) and the YubiKey C NFC (a backup key that works via NFC for cross-device authentication). This pairing ensures you have a primary key for your main computer and a backup for phones or tablets.
Recovery Keys and Account Restoration
During setup, ChatGPT Advanced Account Security generates single-use recovery keys—backup codes you must write down or export and store in a secure location, ideally offline. If you lose access to both your passkeys and hardware keys, a recovery key is your only path back in. Enter a valid recovery key, and your account unlocks after a mandatory 48-hour waiting period, after which you follow prompts to regain access.
You can replace recovery keys at any time by returning to Settings > Security > Advanced Account Security > Recovery Keys > Manage, then selecting Replace Recovery Keys. Generating new recovery keys invalidates the old ones, so this is a useful step if you believe your recovery codes have been compromised. Always save and confirm new codes before closing the dialog.
Who Should Enroll and When It Becomes Mandatory
ChatGPT Advanced Account Security is currently opt-in for all consumer ChatGPT users on the web. However, it will become mandatory for a specific group: individual members of OpenAI’s Trusted Access for Cyber program who access the company’s most powerful cyber-capable models. That requirement takes effect June 1, 2026. Organizations with Trusted Access for Cyber can alternatively attest that they have phishing-resistant single sign-on (SSO) in place, avoiding the per-user hardware key requirement.
For everyday users, enrollment is voluntary but recommended if you handle sensitive work, communicate with sources or contacts at risk, or store valuable data in your ChatGPT conversations. Journalists, activists, and researchers are the primary targets of account compromise attacks, making this feature especially relevant for those groups. If you are a casual user with no sensitive data in ChatGPT, the friction of managing hardware keys and recovery codes may outweigh the security benefit.
How This Compares to Standard ChatGPT Security
Standard ChatGPT accounts rely on email and password authentication, with optional two-factor authentication (2FA) via SMS or an authenticator app. These methods are vulnerable to phishing attacks, where a user is tricked into entering their credentials on a fake login page, or SIM swapping, where an attacker redirects SMS messages to a new phone. Hardware security keys and passkeys are phishing-resistant because they cryptographically verify the legitimate OpenAI domain before allowing sign-in—a fake phishing page cannot impersonate that verification.
Passkeys offer a middle ground: they are phishing-resistant and require no hardware purchase, but they are tied to the device or password manager where they are stored. If your device is stolen or your password manager is compromised, passkeys can be extracted. Hardware keys, by contrast, store the cryptographic secret on the physical device itself and never transmit it to your computer, making them substantially more resistant to software-based attacks.
Frequently Asked Questions
What happens if I lose both my hardware key and my passkey?
If you lose all sign-in methods, you can use a single-use recovery key to unlock your account after a 48-hour waiting period. If you also lose your recovery keys, OpenAI Support cannot help you regain access, and your account remains locked permanently.
Do I need both a hardware key and a passkey?
No. You can enroll using two hardware keys, two passkeys, or one of each. The requirement is at least two secure sign-in methods total, with at least one working across devices. Two hardware keys (one on your laptop, one on your phone) satisfies this. Two passkeys on different devices also works.
Will ChatGPT Advanced Account Security prevent me from using ChatGPT on mobile apps?
The feature is available through ChatGPT on the web. Compatibility with ChatGPT mobile apps is not specified in the available documentation, so you may need to sign in via the web to set up or manage Advanced Account Security, then use mobile apps with existing sessions.
ChatGPT Advanced Account Security represents a significant shift toward phishing-resistant authentication for high-risk users. It is not a feature for everyone—the loss of account recovery options and the need to manage physical or software keys add friction. But for users whose ChatGPT accounts contain sensitive information or who are targets of sophisticated phishing campaigns, the elimination of password-based login is a meaningful security upgrade. The June 2026 mandate for Trusted Access for Cyber users signals that OpenAI views hardware-backed authentication as the future standard for accounts accessing its most powerful models.
Edited by the All Things Geek team.
Source: TechRadar
