OpenAI makes ChatGPT accounts harder to phish with Advanced Account Security

Account Security

OpenAI has launched Advanced Account Security for ChatGPT, replacing password logins with passkeys or security keys, tightening recovery rules, and automatically excluding enrolled accounts from model training.

# OpenAI makes ChatGPT accounts harder to phish with Advanced Account Security

## Opening summary

OpenAI’s newest product move is not a model release. It is a trust and access-control upgrade. On April 30, the company launched Advanced Account Security, an opt-in setting for ChatGPT accounts that replaces password-based login with passkeys or physical security keys and applies the same protection to Codex accounts that share that login.

## Main article

The feature bundles several changes that matter more together than they do individually. Once enrolled, users can no longer sign in with a traditional password. They must use passkeys or FIDO-compatible security keys, including hardware devices such as YubiKeys. OpenAI also disables e-mail and SMS account recovery for these accounts, which is meant to reduce common takeover paths such as phishing and SIM-swap attacks.

OpenAI says Advanced Account Security is aimed at people who face elevated digital risk, including journalists, researchers, political dissidents, elected officials, and other security-conscious users. But the company is also making the setting available more broadly at a moment when ChatGPT accounts increasingly hold sensitive personal context, work materials, and connected-tool access.

The tradeoff is explicit. OpenAI says its support team will not be able to recover enrolled accounts, because recovery is limited to backup passkeys, security keys, and recovery keys controlled by the user. The company is also shortening sign-in sessions, adding clearer active-session management, and issuing login alerts when someone accesses the account.

One of the more notable policy changes is automatic training exclusion. OpenAI already lets users opt out of having conversations used for model training, but enabling Advanced Account Security turns that preference on by default for those accounts. The company also says members of its Trusted Access for Cyber program will need to enable the feature, or attest to equivalent phishing-resistant authentication through enterprise single sign-on, starting June 1.

This is not the first high-security consumer account mode in tech. Google’s Advanced Protection program has existed for years. What is different here is the context. OpenAI is treating ChatGPT and Codex accounts less like casual app logins and more like access points into sensitive work, developer tooling, and organizational knowledge.

## Why it matters

As AI assistants move deeper into real workflows, account security becomes product infrastructure, not just a settings-page detail. Advanced Account Security matters because it signals that OpenAI now sees high-value ChatGPT access as something that needs phishing-resistant defaults, stronger recovery boundaries, and clearer privacy controls.

## Source notes

- Verified against OpenAI’s April 30 announcement plus TechCrunch, Wired, and PCMag coverage from the same day - Product naming kept exact to source material: Advanced Account Security for ChatGPT, with protection also applying to Codex accounts accessed through the same login - Claims about support-assisted recovery limits, automatic training exclusion, and the June 1 Trusted Access for Cyber requirement remain attributed to OpenAI and corroborating coverage