OpenAI adds hardware login keys

OpenAI just added a much stricter login mode for ChatGPT accounts. The point is simple — if these products now hold your code, notes, files, and work context, a stolen password is a much bigger problem than it used to be. So on April 30, OpenAI rolled out Advanced Account Security, an opt-in setting that pushes people toward passkeys and hardware security keys instead of the usual weaker recovery paths. It covers ChatGPT and Codex, which is the important part, because Codex can sit close to real code and cloud workflows. (openai.com) ### What actually changed? This is not just “we support passkeys now.” OpenAI already had passkey support for normal sign-in. The new thing is a hardened account mode that changes the whole login and recovery posture for higher-risk users — journalists, executives, developers, activists, or really anyone who wants the strongest option available. Once enrolled, the account expects phi(openai.com)t around them. (openai.com) ### Why are hardware keys different? A hardware key like a YubiKey is basically a physical credential you touch during login. That matters because phishing attacks usually work by tricking you into typing a password or a one-time code into the wrong page. Security keys and passkeys use cryptographic checks tied to the real site, so the fake page trick falls apart. That is why Yubico and OpenAI are leaning so hard on “phishing-resistant” here. (yubico.com) ### What does the strict mode turn off? This is the part that makes the launch more serious than a normal feature add. Advanced Account Security disables password sign-in, email and SMS sign-in codes, and email-based account recovery. In exchange, it adds recovery keys, shorter active sessions, login notifications, and better session management. Basically, OpenAI is removing the soft back doors tha(yubico.com)ronger. (help.openai.com) ### Why does Codex make this more urgent? Because Codex is not just a chatbot tab. OpenAI’s own developer docs warn that Codex cloud interacts directly with a codebase and needs stronger security than many standard ChatGPT features. If an attacker gets into that account, the risk is not only private chats leaking — it can mean access to source code, development context, an(help.openai.com)ccount takeover. (developers.openai.com) ### Is this only for people buying new keys? No. OpenAI partnered with Yubico, and Yubico is selling a custom two-pack tied to the launch, but people with existing compatible security keys can use them too. OpenAI’s help docs also make clear that enrollment can work with two compatible hardware keys or with passkeys that meet the recovery requirements. So the partnership is real, but the program is not locked to one vendor’s new bundle. (yubico.com) ### Why not just keep normal MFA? Because normal MFA still gets phished all the time. SMS codes can be intercepted or socially engineered. Email recovery is only as strong as the email account. Even app-based codes can be typed into a fake site. Passkeys and hardware-backed credentials are meant to kill that who(yubico.com) than a convenience setting. (help.openai.com) ### What’s the catch? The catch is friction. Stronger recovery means harsher failure modes if you lose your devices and backup methods. OpenAI says setup requires multiple compatible sign-in methods, and the system checks whether they meet cross-device requirements. So this is safer, but it asks users to behave more like admins — keep backups, register more than one key, and think ahead about recovery. (help.openai.com) ### Bottom line? This is OpenAI admitting that a ChatGPT account is no longer just a casual app login. For a growing number of users, it is becoming a vault for sensitive work context. Hardware-backed login is the obvious next step. (openai.com)