OpenAI adds stronger ChatGPT account protections with Yubico partnership

OpenAI moved to confront a basic trust problem inside AI access: as ChatGPT accounts hold personal, professional, and sometimes sensitive operational context, a stolen password can open the door to far more than a chat history. The company said its new Advanced Account Security setting is aimed at users at increased risk of digital attacks, including journalists, elected officials, political dissidents, and researchers, and it applies to Codex accounts that use the same login.

The protection, announced April 30, 2026, is opt-in and available in the Security section of ChatGPT on the web. Once a user enrolls, OpenAI requires passkeys or physical security keys and turns off password-based login. It also shuts down email and SMS recovery, replacing them with backup passkeys, security keys, and recovery keys. OpenAI warned that Support will not be able to help recover an account if a user loses those approved methods, underscoring that the new system raises security by shifting more responsibility to the account holder.

The changes are meaningful for the people most likely to be targeted. Shorter sign-in sessions, login alerts, and session-management tools can reduce the window for unauthorized access across devices. But the feature is not a blanket upgrade for every ChatGPT user. It is a tightly controlled security mode that makes sense most for people whose accounts could expose sensitive documents, workflow data, or communications that might be valuable to attackers. In that sense, OpenAI is not just adding a convenience feature; it is trying to make phishing-resistant access the default for users with the highest risk profile.

The company paired the rollout with a partnership with Yubico, giving users a custom two-pack of YubiKeys beginning the same day. The bundle includes a YubiKey C NFC for tap-to-authenticate on mobile and a low-profile YubiKey C Nano designed to remain in a laptop port for everyday use. OpenAI said it already uses YubiKeys internally to protect employees and infrastructure, while Yubico framed the collaboration as a long-term move to bring phishing-resistant security at scale to the AI ecosystem. OpenAI chief information security officer Dane Stuckey and Yubico chief executive Jerrod Chong both cast hardware-backed authentication as the best defense against phishing.

The larger signal is clear: OpenAI is acknowledging that AI accounts have become gateways to valuable data, and that passwords alone no longer match the risk. The new protections materially raise the bar for high-risk users, but they also function as a public demonstration that the company is serious about security after a period of growing concern around account takeover and sensitive-data exposure.