OpenAI adds passkeys and security keys to ChatGPT
Advanced Account Security requires two sign-in methods — password plus a passkey or hardware key — disables email/SMS recovery and excludes those conversations from training.
OpenAI has rolled out Advanced Account Security for ChatGPT, requiring users to pick two sign-in methods, typically a password plus a passkey or physical security key. Accounts enrolled in the feature will also be excluded from model training.
The system functions as an enhanced multi-factor authentication setup. It asks users to choose two ways to sign in; one option can be a passkey tied to a device or a FIDO-compliant hardware key. OpenAI said the goal is to reduce successful phishing because a password alone will not grant access.
Enrolled accounts will receive alerts when a new device signs in, allow users to view active sessions, and require more frequent sign-ins to limit exposure if an account is compromised. After enrollment, users must sign in again on all devices.
Account recovery no longer uses email or SMS for enrolled accounts. Recovery must rely on backup passkeys, security keys or recovery keys. OpenAI warned that Support will not be able to assist with account recovery for users enrolled in Advanced Account Security and wrote, “Advanced Account Security prioritizes security over convenience.”
OpenAI added that conversations from accounts enrolled in the feature “will not be used to train our models,” making the exclusion automatic for those users.
Users can enroll from their ChatGPT account Settings under Security by selecting Advanced Account Security and following the prompts. The protections apply to ChatGPT and Codex accounts that share the same login and are compatible with any FIDO-compliant security key. OpenAI has a partnership with Yubico offering a discounted YubiKey bundle that includes a USB-C Nano key and a backup key for £61.
For participants in OpenAI’s Trusted Access for Cyber program, security professionals must enable Advanced Account Security by the beginning of June or demonstrate phishing-resistant authentication. Currently the protections are applied on an individual account basis; OpenAI wrote it plans to extend the work to enterprise environments in the future.
