OpenAI just flipped the script on ChatGPT security. No more passwords for those who opt in to its new Advanced Account Security feature. Instead, users must register two passkeys, two hardware security keys, or one of each to log in. This opt-in mode, available now to everyone including free-tier accounts, targets journalists, elected officials, political dissidents, researchers—and anyone paranoid enough about phishing.
The move comes amid rising threats. Over 100,000 stolen ChatGPT credentials surfaced on dark web markets last year, fueling phishing campaigns. A Mixpanel breach exposed user data, making accounts prime targets. OpenAI’s response? Borrow zero-trust principles from government systems and crypto wallets. Passwords vanish. Email and SMS recovery? Gone. Sessions shorten. Every new login triggers an alert, with options to view and kill active ones right from settings. Conversations even get excluded from model training automatically.
But here’s the kicker. Lose your recovery key or both authenticators? Your account’s toast. No support team bailout. OpenAI spells it out plainly: users bear full responsibility. OpenAI’s blog warns of this trade-off upfront.
Yubico enters the fray with a custom two-pack: YubiKey C NFC and YubiKey C Nano, co-branded and priced at $68—half the usual $126 retail for similar gear. The NFC version taps phones or readers; the Nano sticks permanently in USB-C ports for frictionless use. Any FIDO2-compliant key works, but this bundle sweetens the deal. “We’ve made YubiKeys a standard part of how we protect OpenAI employees, and with Advanced Account Security, we’re making it easier for ChatGPT users to choose that same kind of phishing-resistant protection when it’s right for them,” OpenAI states in its announcement, echoed in Yubico’s press release.
Passkeys rely on cryptographic key pairs that stay locked on devices, unlocked via biometrics or PINs. No secrets traverse the network. Hardware keys like YubiKeys amp this up—physical tokens attackers can’t phish remotely. Google handed them to 85,000 staff in 2017. Result? Zero successful phishing attacks since. OpenAI mimics that playbook, treating ChatGPT like online banking: no passwords, no easy recovery, pure hardware enforcement.
TechCrunch reports the partnership underscores phishing’s surge against AI users, with Yubico’s keys now tied directly to ChatGPT logins. TechCrunch. Wired notes how accounts accumulate “sensitive personal and professional context,” sitting at the heart of workflows—making takeover devastating. Wired.
And it’s not just consumers. By June 1, 2026, this becomes mandatory for OpenAI’s Trusted Access for Cyber program members—cyber defenders using tools like GPT-5.4-Cyber for malware analysis and reverse engineering. Free users can join now via Settings > Security at chatgpt.com. Axios highlights the password ditch as a step toward broader adoption. Axios.
Critics might balk at the rigidity. What if you travel without your keys? Or forget that recovery code? OpenAI bets high-stakes users will adapt. PCMag praises the YubiKey Nano’s low-friction design but flags the irreversibility. PCMag. The Next Web ties it to credential reuse driving 46% of small-business attacks this year. The Next Web.
On X, OpenAI’s CISO DANΞ outlined the launch: AAS demands passkeys or keys, tightens recovery, and pairs with Yubico for accessibility. Yubico’s account promoted the bundle as “the gold standard for AI protection.” Enterprise chatter emphasizes mandates for teams handling client data in AI.
This isn’t optional window dressing. As ChatGPT integrates deeper—Codex for code, workflows for pros—accounts hold goldmines. Attackers know it. OpenAI’s forcing a hardware reckoning. Passwords? Relics. Expect copycats. But will mass adoption follow? Only if users stomach the self-custody burden.
Setup’s straightforward. Hit chatgpt.com/advanced-account-security. Register authenticators. Grab that recovery key. Print it. Store it safe. Done. No turning back.
For insiders, watch compliance ripples. FIDO2 alignment means enterprise SSOs integrate easily. But lost-key policies? Rewrite them now. OpenAI just raised the bar—and handed you the ladder.
WebProNews is an iEntry Publication