Introducing Advanced Account Security

Introducing Advanced Account Security

Today, we're introducing Advanced Account Security, a new opt-in setting for ChatGPT accounts, designed for people at increased risk of digital attacks, as well as for those who want the strongest account protections available. It brings together a set of heightened security measures that help safeguard against account takeover while making those protections easier to activate in one place. Once enrolled, Advanced Account Security protects users in Codex as well.

People are turning to AI for deeply personal questions and increasingly high-stakes work. Over time, a ChatGPT account can hold sensitive personal and professional context, and sit at the center of connected tools and workflows. For some people, like journalists, elected officials, political dissidents, researchers, and those who are especially security-conscious, the stakes are even higher.

This effort is part of our broader cybersecurity action plan⁠ (opens in a new window) to broaden access to the technologies that can help protect communities, critical systems, and our national security. We want users to have the controls to make the security and privacy choices that are right for them. At the same time, we want to ensure users understand that the increased protection of Advanced Account Security comes with an increased responsibility for account recovery.

How Advanced Account Security works

Advanced Account Security brings together a series of controls that strengthen sign-in protections, tighten account recovery, reduce exposure from compromised sessions, and give users more visibility into account activity. It's available to opt into in the Security section of users' ChatGPT accounts on web. Protection applies to both ChatGPT and Codex accounts that are accessed through that login.

Stronger sign-in methods. Advanced Account Security requires passkeys or physical security keys while disabling password-based login, helping make phishing-resistant sign-in the default for people who need it most.

More secure account recovery. If a user's email account or phone number is compromised, an attacker may try to use one of them to gain access to their ChatGPT account via e-mail or SMS based recovery. To reduce this risk, Advanced Account Security disables email and SMS recovery and requires stronger recovery methods: backup passkeys, security keys, and recovery keys. Because account recovery is restricted to these more secure methods, OpenAI Support will not be able to assist with account recovery for users enrolled in Advanced Account Security.

Shorter sessions and clearer session management. Sign-in sessions are shortened to reduce the window of exposure if a device or active session is compromised. Users also receive alerts when there is a login to their account, and they can review and manage the active sessions across the various devices they're signed into.

Automatic training exclusion. People working with especially sensitive information may opt not to have those conversations used for model training. With Advanced Account Security enabled, that preference is automatic: conversations from those accounts will not be used to train our models.

Making phishing-resistant authentication more accessible with Yubico

Using physical security keys, such as YubiKeys, is one of the strongest defenses against phishing. To make that level of protection easier to access, we have partnered with Yubico, a leader in hardware-based authentication and account protection, to offer our users preferred pricing on a customized bundle of best in class security keys. The YubiKey C Nano is designed to stay in your laptop for simple, low-friction daily authentication, and the YubiKey C NFC for backup, and use across laptops and mobile devices.

We're launching this partnership as part of Advanced Account Security, but the bundle will be available to all eligible users in their security settings on web so more people can adopt stronger, phishing-resistant account protection. Users will also be able to use any other FIDO-compliant security key, or use software-based passkeys.

Protecting Trusted Access for Cyber

We continue to expand programs that give verified defenders access to more capable and permissive models, and we need to ensure that the accounts of those defenders are protected with our most advanced security protections.

Individual members of Trusted Access for Cyber accessing our most cyber capable and permissive models will be required to enable Advanced Account Security beginning June 1, 2026. Organizations with trusted access can, as an alternative, attest that they have phishing resistant authentication as part of their single sign-on workflow.

An important step, with more to come

OpenAI is becoming the core infrastructure for AI, making it possible for people around the world and businesses, big and small, to just build things. The broad consumer reach of ChatGPT creates a powerful distribution channel into the workplace, where demand is rapidly shifting from basic model access to intelligent systems that reshape how businesses operate. Developers build on and expand the platform by leveraging our APIs, and Codex is transforming how developers turn ideas into working software.

As AI becomes increasingly embedded in our lives, it is more important than ever to ensure that users have the controls they need to help protect their privacy and security.

Privacy and security are foundational to how we build all of our products and we'll continue investing in protections that give people more control and stronger safeguards over time. We expect to extend this work to additional audiences, including enterprise environments, where stronger account security can matter just as much.

OpenAI users who want additional protection can enroll in Advanced Account Security ⁠ (opens in a new window)on web starting today.

Author