OpenAI adds advanced account security

OpenAI just added a much stricter login mode for ChatGPT — and by extension Codex — aimed at people who think their accounts could be real targets, not just casual password-reuse victims. That means journalists, researchers, political figures, security teams, and basically anyone storing sensitive work inside ChatGPT. The gap here is simple: once AI tools become part of your daily workflow, the account itself turns into a high-value target. On April 30, OpenAI answered that with a new opt-in feature called Advanced Account Security. (openai.com) ### What changed? OpenAI rolled out Advanced Account Security as an optional setting in the Security section of ChatGPT on the web. It applies to the same login used for ChatGPT and Codex, so one switch hardens both. This is for personal accounts, not just managed enterprise setups. (openai.com) ### What does the mode actually do? The big shift is that it replaces weaker sign-in paths with phishi(openai.com)ity keys, while password login, email codes, SMS codes, and email-based recovery get turned off. OpenAI also adds recovery keys, login alerts, shorter sessions, and a screen for reviewing active sessions across devices. (openai.com 1)(openai.com 2) works by tricking someone into handing over a password or a one-time code. Passkeys and hardware keys are much harder to steal that way. Basically, OpenAI is trying to remove the most common paths for account takeover instead of just warning users to be careful. That is the same logic behind Google’s and Apple’s more locked-down account modes — fewer fallback options, fewer holes. (opena([openai.com)hat’s the catch? Recovery gets much harsher. If you lose access to your enrolled passkeys, security keys, and recovery keys, OpenAI Support will not restore the account for you. That sounds brutal, but it is the whole model: if support can wave you back in through email or manual review, attackers will try to exploit that path too. The system is safer precisely because it is less forgiving. (openai.com) just a chatbot tab — it can touch codebases, terminal-style workflows, and higher-stakes engineering tasks. OpenAI’s own developer docs already frame Codex as something that needs stronger security hygiene, and the company now treats GPT-5.3-Codex as a high-cybersecurity-capability model with extra safeguards. If that account gets hijacked, the blast radius can be much bigger than a leaked chat history. (developers.openai.com) ### How does this connect to workspace controls? OpenAI has been moving security and permissioning deeper into the product. Business and Enterprise admins already get controls over chat visibility, shared links, GPT access, role permissions, analytics visibility, and which features or models people can use. So this launch fits a broader pattern — identity hardening for individuals, tighter governance for organizations, and fewer ad hoc safety patches around the edges. (help.openai.com) ### Is this the same as Lockdown Mode? No. Lockdown Mode, introduced in February, is about reducing prompt-injection and data-exfiltration risk by constraining tools and external connections in managed workspaces. Advanced Account Security is about account takeover — who can get in, how they recover access, and how much damage a stolen session can do. Different threat, different layer. (openai.com)AI admitting that a ChatGPT login is no longer just a consumer app password. It is becoming an identity layer for work, code, research, and connected tools. Once that is true, old-school recovery shortcuts start looking less like convenience and more like attack surface. (openai.com)