OpenAI Launches Advanced Account Security With Passkeys and Yubico Partnership

--- headline: "OpenAI Launches Advanced Account Security With Passkeys and Yubico Partnership" slug: openai-advanced-account-security-passkeys category: llms-genai story_number: "06" date: 2026-05-04 ---

OpenAI is eliminating passwords for its most at-risk users. On April 30, the company unveiled Advanced Account Security, an opt-in protection tier for ChatGPT and Codex that replaces password-based login entirely with passkeys or hardware security keys, and announced an industry-first partnership with Yubico to sell co-branded YubiKeys at a steep discount. For journalists, political dissidents, researchers, and elected officials who rely on ChatGPT for sensitive work, the era of typing a password into one of the world's most widely used AI platforms is officially over.

What Advanced Account Security Includes

The new feature, which any ChatGPT user can enable but is specifically designed for high-risk individuals, fundamentally changes how accounts are authenticated and recovered. Once toggled on, Advanced Account Security requires users to register two passkeys, two hardware security keys, or one of each. Password-based login is permanently disabled. Email and SMS account recovery -- the vectors most commonly exploited in phishing and SIM-swapping attacks -- are eliminated, replaced by backup passkeys, backup security keys, and cryptographic recovery keys.

The protections extend beyond login. Conversations from accounts with Advanced Account Security enabled are automatically excluded from being used to train OpenAI's AI models. Login sessions expire more quickly, and users receive notifications every time their account is accessed from a new device. It is a comprehensive lockdown that treats account security as a layered system rather than a single checkpoint.

"Security is germane to OpenAI's mission," said Dane Stuckey, OpenAI's Chief Information Security Officer, who joined the company from Palantir in 2024. "It is critical we meet the highest standards for compliance, trust, and security to protect hundreds of millions of users of our products."

The Yubico Partnership

The hardware component of the announcement centers on a new collaboration with Yubico, the Swedish-American company that pioneered the hardware security key market. OpenAI and Yubico are releasing a co-branded two-pack of YubiKeys -- the YubiKey C NFC for tap-to-authenticate on mobile devices and the YubiKey C Nano, a low-profile key designed to stay plugged into a laptop's USB-C port -- for $68. That price is less than half the standard retail cost of purchasing the two keys separately, a significant subsidy that signals OpenAI's intent to drive adoption rather than merely offer a premium option.

"We are introducing a new model for phishing-resistant security at scale for the AI ecosystem," said Yubico CEO Jerrod Chong. "This partnership with OpenAI delivers the highest level of protection against phishing with a low friction user experience. Ultimately, our intent is to drastically reduce the threat of unauthorized access to sensitive data in OpenAI accounts worldwide."

The keys are physically identical to Yubico's existing product line but carry OpenAI branding and are sold through OpenAI's channels. Users can also register any other FIDO-compliant security key or use software-based passkeys stored on their devices through platforms like iCloud Keychain or Google Password Manager.

OpenAI was already using YubiKeys internally to protect employees and infrastructure from sophisticated phishing attacks. The partnership effectively extends that internal security posture to external users.

Why Now -- and Why It Matters

The timing is not coincidental. ChatGPT now has 900 million weekly active users and 50 million paying subscribers, figures OpenAI reported in February 2026. At that scale, the platform is an enormous target for credential theft, social engineering, and state-sponsored attacks. The accounts of journalists, researchers, and government officials often contain sensitive conversation histories -- draft stories, policy deliberations, research data -- that would be valuable to adversaries.

The broader industry context adds urgency. Passkeys, the FIDO Alliance's passwordless authentication standard built on public-key cryptography, have gained significant traction since Apple, Google, and Microsoft began integrating them into their operating systems in 2022 and 2023. But adoption among consumer-facing AI platforms has lagged. OpenAI's move makes it one of the first major AI companies to offer -- and for some users, mandate -- phishing-resistant authentication as the default.

That mandate is a critical detail. Beginning June 1, 2026, individual members of OpenAI's Trusted Access for Cyber program -- which grants access to the company's most capable and permissive cybersecurity models -- will be required to enable Advanced Account Security. It is a tacit acknowledgment that the most powerful AI tools demand the strongest identity protections, particularly as models grow increasingly capable in domains like vulnerability research and code generation.

The Bigger Picture

OpenAI's security announcement arrives at a moment when the AI industry is grappling with the dual reality of building increasingly powerful systems while simultaneously becoming high-value targets. The company's approach -- combining passwordless authentication, hardware key subsidies, automatic training data exclusion, and mandatory adoption for its most sensitive access tier -- represents one of the most comprehensive account security packages offered by any consumer technology platform, not just in AI.

The question is whether opt-in adoption will be sufficient. Security features that require user action historically see low uptake. Google's Advanced Protection Program, which similarly requires hardware keys, has been available since 2017 but remains a niche product despite its effectiveness. OpenAI's $68 YubiKey bundle and the June 1 mandate for Trusted Access users suggest the company is aware of this challenge and is using both price incentives and policy requirements to push adoption beyond the security-conscious minority.

For the 900 million people who use ChatGPT every week, the message is clear: the AI platform that holds your conversations, your creative work, and increasingly your professional workflows is no longer willing to let a reusable password be the only thing standing between that data and an attacker.