OpenAI Launches Advanced Account Security — Passkeys, Yubico YubiKey Bundle and No-Training Privacy for ChatGPT (April 30, 2026)
OpenAI on April 30, 2026 launched Advanced Account Security: opt-in passkey login for ChatGPT, no email/SMS recovery, plus a $68 Yubico YubiKey bundle.
OpenAI on launched Advanced Account Security (AAS), an opt-in account-protection mode for ChatGPT and Codex that disables password, email and SMS login, requires phishing-resistant passkeys or hardware security keys, and excludes the user's conversations from model training. The launch comes alongside a Yubico partnership selling co-branded YubiKey 5 NFC and YubiKey 5C NFC two-packs to OpenAI users for $68 — roughly half the standard $126 retail price.
What Happened
OpenAI announced AAS in a post titled "Introducing Advanced Account Security" published on its index blog and confirmed by Axios, TechCrunch and TheNextWeb. Accounts that opt in must enroll a passkey or FIDO2 security key, and OpenAI permanently removes password, email-link and SMS one-time-code recovery — the only fallback is a backup passkey, an additional security key, or a one-time recovery code. Sign-in sessions are also shortened to "reduce the window of exposure if a device or active session is compromised," according to OpenAI's product post.
Crucially, OpenAI's support team will not be able to recover an AAS account: if a user loses every enrolled passkey and recovery code, the account is permanently locked. In exchange, conversations and prompts from AAS-enabled accounts are automatically excluded from OpenAI's model-training pipeline — a privacy guarantee the company has not previously offered free-tier users.
Key Details
- Available to everyone — AAS is offered to ChatGPT free, Plus, Pro, Team, Enterprise and Edu users, and to Codex accounts that share OpenAI logins.
- Mandatory for high-risk programs — beginning , individual members of OpenAI's Trusted Access for Cyber program (vetted defenders who get expanded access to OpenAI's most cyber-capable models) must enable AAS to keep their access.
- Yubico Work With YubiKey bundle — Yubico is shipping co-branded YubiKey 5 NFC and 5C NFC two-packs at $68; standard MSRP for the same pair is $126 according to Yubico's businesswire announcement.
- No model-training on AAS conversations — automatic exclusion is a stronger privacy posture than the existing per-session "improve the model for everyone" toggle.
- Recovery is unforgiving — losing all enrolled passkeys and recovery codes means a permanently locked account; OpenAI Support cannot reset it.
What Developers and Users Are Saying
The reaction across security Twitter and TheNextWeb's comments has been mostly positive: phishing-resistant authentication for the highest-traffic AI account on the web is a security win, and the model-training exclusion answers a long-running developer complaint about Codex prompts being used as training data. The most consistent critique is the support trade-off: enterprise admins on r/OpenAI worry about onboarding employees who lose security keys with no recovery fallback, and journalists on social media point out that mandatory adoption for Trusted Access for Cyber accounts means contractors and freelance researchers must now buy hardware to maintain their existing access. Yubico stock (NASDAQ-stockholm: YUBICO) and FIDO2 vendor Token both saw modest inflows on the announcement.
What This Means for Developers
Developers using the OpenAI API directly are not affected — AAS protects ChatGPT/Codex web logins, not API keys. But for teams whose engineers ship code through Codex's web UI or who use ChatGPT Team for prompt engineering, AAS is now the de-facto recommended posture: enrol two passkeys (one platform passkey on a managed device, one hardware key as backup), generate recovery codes and store them in your password manager. If your organization is part of OpenAI's Trusted Access for Cyber program, you have until June 1, 2026 to enable AAS or lose access to the program's specialized models.
For application developers building on the OpenAI platform, the bigger structural signal is that OpenAI is normalizing passkey-only authentication at consumer scale — likely the largest such rollout to date alongside Apple's iCloud and Google's Advanced Protection. Expect downstream pressure on identity vendors (Auth0, Clerk, WorkOS, Stytch) to default to passkeys in their OpenAI-shaped templates within months.
What's Next
OpenAI says it will continue to expand AAS-eligible products and is working with Yubico on additional co-branded form factors. The June 1, 2026 mandatory deadline for Trusted Access for Cyber members is the next milestone; admins of Team and Enterprise workspaces should expect a corresponding admin-enforceable policy in the same window. The OpenAI help-center page on passkeys is the canonical reference for setup, and Yubico's Work With YubiKey bundle is live now in the Yubico store.
Sources
- OpenAI — Introducing Advanced Account Security — primary source, official product post.
- TechCrunch — OpenAI announces new advanced security for ChatGPT accounts
- Axios — OpenAI now lets users use passkeys instead of passwords
- TheNextWeb — OpenAI launches hardware security keys for ChatGPT
- BusinessWire — OpenAI and Yubico Partner
- OpenAI Help Center — Passkeys to Secure Your OpenAI Account
Stay up to date with Doolpa
Subscribe to Newsletter →