OpenAI is rolling out a new security upgrade for users of ChatGPT and Codex, aiming to make accounts significantly harder to compromise in phishing and takeover attempts. The feature, called Advanced Account Security, is optional for most users but brings stricter login controls and removes several familiar recovery methods in exchange for stronger protection.
The move comes at a time when AI tools are becoming deeply embedded in personal and professional workflows. From writing assistance to coding support, accounts like ChatGPT are no longer just casual chat tools but repositories of sensitive context and work-related information. OpenAI is positioning this update as a response to that change.
“People are turning to AI for deeply personal questions and increasingly high-stakes work,” the company said in a blog post on Thursday. “Over time, a ChatGPT account can hold sensitive personal and professional context, and sit at the center of connected tools and workflows. For some people, like journalists, elected officials, political dissidents, researchers, and those who are especially security-conscious, the stakes are even higher.”
At the core of Advanced Account Security is a stricter authentication system. Instead of relying on traditional passwords, users who enable the feature will need to set up passkeys or at least two physical security keys. This approach is designed to block phishing attacks that often trick users into revealing login credentials.
OpenAI is also removing common recovery pathways under this mode. Email and SMS-based account recovery will no longer work for these users. Instead, recovery will depend on backup passkeys or physical security keys, reducing the risk of attackers hijacking accounts through social engineering or compromised email access.
The company has also partnered with Yubico to make hardware security keys more accessible, including discounted YubiKey bundles for users opting into the advanced protection tier.
One notable change is how recovery support is handled. Once Advanced Account Security is enabled, users cannot rely on OpenAI’s support team to regain access if they lose their credentials. Since support is no longer part of the recovery chain, it also removes a common attack vector where hackers attempt to manipulate support systems to gain control of accounts.
The update also tightens everyday usage patterns. Sessions will be shorter, meaning users will need to log in more frequently across devices. In addition, login alerts will be pushed whenever a new device accesses an account, allowing users to quickly review active sessions across ChatGPT and Codex dashboards.
Privacy settings are also being adjusted in this mode. While ChatGPT users can normally opt out of having their conversations used for model training, this option is automatically enabled by default for Advanced Account Security users, offering an added layer of data control.
