OpenAI replaces passwords with keys

Passwords are cheap. Account takeovers are expensive. That tradeoff is what this OpenAI change is really about. On April 30, OpenAI rolled out an opt-in setting called Advanced Account Security for ChatGPT and Codex accounts. Turn it on, and the old login flow basically disappears. No password sign-in. No email recovery. No SMS fallback. You get in with passkeys or physical security keys instead — and if you lose those, OpenAI says support may not be able to get you back in. (openai.com) ### What actually changed? The new mode lives in ChatGPT’s web settings under Security. It applies to the login behind both ChatGPT and Codex, so this is not just a cosmetic toggle for one product. OpenAI says it is aimed at people who face a higher risk of phishing or account takeover, but it is available to any user who wants it. (openai.com)sword? Because passwords are the weak link in almost every phishing story. A fake login page can steal one. A reused password can leak somewhere else. Even email- or SMS-based recovery gives attackers extra paths if they compromise your inbox or phone number first. OpenAI’s fix is to remove those softer paths and make phishing-resistant login the default for anyone who opts in. (openai.com) ### So what do you use instead? Two things — passkeys and security keys. A passkey is a cryptographic credential usually tied to your device ecosystem, like your phone or laptop. A hardware security key is the physical version — a small device you tap or plug in. OpenAI’s setup requires at least two secure sign-in methods, including one that works across(openai.com)whole point: one key can fail, get lost, or stay in the wrong bag. (help.openai.com) ### Where does Yubico fit in? OpenAI also announced a partnership with Yubico, the company behind YubiKeys. The companies are selling a custom two-pack tied to this launch. That matters less as branding than as a signal: OpenAI wants users to think in hardware, not just app-based codes. In other words, this is not “2FA but nicer.” It is a push toward the security model used by people who expect to be targeted. (techcrunch.com) ### What’s the catch? Recovery gets brutal. OpenAI says Advanced Account Security disables email and SMS recovery, and support will not be able to assist with account recovery for enrolled users. After setup, users are signed out of all devices and must sign back in with one of their enrolled methods. That makes the account much harder to phish — but also much easier to lock yourself out of if you are careless. (openai.com) ### Why is OpenAI doing this now? Because ChatGPT accounts are not just chat accounts anymore. They can hold sensitive prompts, uploaded files, coding work, and access to tools like Codex. OpenAI is also bundling shorter sessions, login alerts, and better session management into the mode, which tells you the company is thinking beyond simple login and toward full account-compromise risk. (openai.com) ### Who should actually turn this on? Not everyone. If you are the kind of user who forgets where you put your backup codes, this setting can be harsher than the threat model you face. But for journalists, executives, political staff, researchers, and anyone storing sensitive work in ChatGPT, the logic is pretty clear — fewer recovery paths means fewer attack paths. (wired.com) ### Bottom line? OpenAI did not just add another security checkbox. It changed the bargain. You get stronger protection by giving up convenience — and by accepting that losing your keys may mean losing your account for real. (openai.com)