OpenAI has released Advanced Account Security, an opt-in hardening mode for ChatGPT accounts that eliminates password-based login, disables SMS and email account recovery, shortens authentication sessions, and opts conversations out of training data use. The feature is designed for users at elevated risk of targeted account compromise — journalists, activists, executives, and high-value enterprise users — and is mandatory for members of OpenAI's Trusted Access for Cyber program beginning June 1, 2026.
Technical Details
Advanced Account Security restructures authentication and recovery around phishing-resistant credentials rather than shared secrets. The key changes:
Login method: Password-based authentication is disabled. Users must authenticate with a passkey (device-bound cryptographic credential) or a physical security key (FIDO2/WebAuthn hardware token). Both methods are phishing-resistant by design — they bind the credential to the registered origin and cannot be relayed to a fraudulent site.
Account recovery: Email-link and SMS-code recovery are disabled entirely. Recovery requires one of: a backup passkey registered on a separate device, a backup physical security key, or a pre-generated recovery code stored offline. This eliminates SIM-swapping and email compromise as viable account takeover paths.
Session management: Sign-in sessions are shortened to reduce the exposure window if a device or active session is compromised. Users receive real-time alerts on new sign-ins and can review and terminate active sessions across all devices from their account dashboard.
Training data: Conversations under Advanced Account Security are not used to train OpenAI models. This is an ancillary privacy benefit, not the security feature, but it addresses a common concern among enterprise and security-sensitive users.
OpenAI has partnered with Yubico to offer preferred pricing on a two-key bundle for users enrolling in the new security setting. The bundle pairs a YubiKey C Nano — designed to remain plugged into a laptop USB-C port — with a YubiKey C NFC for cross-device authentication on mobile and as a backup key. The inclusion of a backup key is intentional: a single-key deployment creates a lockout risk if the key is lost or damaged.
Why This Matters
ChatGPT accounts increasingly hold high-sensitivity content: business intelligence from document uploads, API configurations, custom GPT instructions, conversation history across enterprise workflows, and organizational data submitted through integrations. Account compromise at scale creates a different threat profile than a typical consumer web service.
The shift to passkeys addresses the weakest point in standard MFA: the TOTP or SMS second factor can still be phished or SIM-swapped. Phishing-resistant authentication — where the credential itself cannot be intercepted and replayed — closes that vector. OpenAI's announcement notes this is specifically designed for "people at increased risk of digital attacks."
The Trusted Access for Cyber mandate — requiring Advanced Account Security for OpenAI's most capable model tiers starting June 1 — signals that OpenAI considers standard account protection insufficient for users with access to frontier model capabilities.
Who Is Affected
Advanced Account Security is currently opt-in for all ChatGPT users. Mandatory enrollment applies to members of the Trusted Access for Cyber program starting June 1, 2026. Enterprise ChatGPT customers managing team accounts should evaluate whether to mandate the feature across their organization, particularly for users who routinely interact with sensitive internal documents or configurations.
Users without compatible devices will need to acquire hardware keys. Passkeys can be generated on any modern device with a compatible biometric authenticator (Face ID, Windows Hello, etc.), while physical security keys require separate hardware purchase.
What You Should Do Right Now
- Enroll in Advanced Account Security now if you use ChatGPT for anything sensitive. The feature is available immediately — navigate to account settings and enable it before you need to. Do not wait for a compromise event.
- Purchase at least two hardware or software passkeys. Single-key setups create lockout risk. Register a primary key and a backup stored separately.
- Audit active ChatGPT sessions. Review which devices currently have active sessions and terminate any you do not recognize or no longer use.
- Brief your team on the June 1 mandate if your organization has Trusted Access for Cyber enrollment. Users who have not configured passkeys by that date will lose access to the highest-capability model tiers.
- Review what data is stored in your ChatGPT account. Before the security profile change, inventory what documents, API keys, or configurations are accessible through your account and ensure they are appropriately protected at the source.
Conclusion
OpenAI's Advanced Account Security is a meaningful step toward phishing-resistant authentication for an AI platform that now holds significant enterprise data. Security-conscious organizations should treat this as a prompt to audit their ChatGPT exposure and enforce the feature for all users with access to sensitive workflows before the mandatory June 1 deadline arrives.
For any query contact us at contact@cipherssecurity.com
