OpenAI adds hardware key security

ChatGPT accounts are starting to look a lot more like bank accounts. That is the basic news here. OpenAI rolled out an opt-in mode called Advanced Account Security on April 30 that pushes users away from passwords and toward passkeys or physical security keys instead. The point is simple — make phishing much harder, especially for people whose ChatGPT and Codex accounts now hold sensitive work, files, and creative assets. ### What actually changed? If you turn this mode on, password login stops working. So do weaker fallback paths like email or SMS sign-in codes and email-based account recovery. OpenAI wants the account to depend on phishing-resistant methods instead — passkeys on your devices, compatible hardware security keys, backup keys, and a recovery key you save yourself. A security key is a small device — like a YubiKey — that proves you are really you during login. That matters because phishing attacks usually win by tricking someone into typing a password or a one-time code into a fake page. A hardware key changes the game. The fake page cannot do much without the physical key, and modern passkeys work on the same phishing-resistant idea. ### Where does Yubico fit in? OpenAI also tied this launch to a partnership with Yubico, the best-known hardware key maker. Coverage around the launch says the companies are offering co-branded YubiKey devices for ChatGPT users — specifically YubiKey C NFC and YubiKey C Nano models. That does not mean you need a Yubico key to use the feature, but it makes the hardware-key path much more visible and easier to buy into. ### Who is this for? Not everybody needs this. OpenAI is pitching it at people with higher account-takeover risk — journalists, researchers, executives, developers, public figures, and basically anyone whose account could be a valuable target. That framing makes sense. ChatGPT is no longer just a chatbot tab with throwaway prompts. For a lot of users, it now stores drafts, code, uploaded documents, shared links, and ongoing project history. ### What is the catch? The catch is recovery gets harsher. If you lose access to your enrolled passkeys or security keys and you did not save your recovery key, you may lose the account. That is the tradeoff. OpenAI is removing the soft rescue paths precisely because those are common attack routes when an email inbox or phone number gets compromised. More security here means less convenience later. Should everyone use it? No. OpenAI’s help documentation says Advanced Account Security is for eligible personal ChatGPT accounts in supported regions. It is not available for ChatGPT Enterprise users, enterprise-managed accounts, or accounts tied to an enterprise-managed domain. Business and other workspace-linked setups may also depend on configuration and rollout status. The value of a ChatGPT account changed. A year ago, stealing one mostly meant reading chats. Now it can mean access to coding tools, saved files, project context, and a lot of high-value work product. OpenAI is basically adopting a security model that has long been standard for high-risk accounts and finally bringing it to ChatGPT. It is stricter, less forgiving, and a little annoying by design. But if your account holds real work, that is exactly the point.