To stop the most determined hackers, OpenAI is introducing a new security mode for ChatGPT and Codex accounts that ditches traditional passwords for more secure alternatives.

The opt-in setting is called “Advanced Account Security,” and features hardware security keys and software-based passkeys for account logins. The company is rolling out the new mode via ChatGPT’s web interface in Settings > Security, which leads users to a page that outlines the pros and cons of the feature, along with a 3-step process to enroll. 

(Credit: OpenAI)

The new setting—also available at chatgpt.com/advanced-account-security—doesn’t require hardware-based security keys. However, the enrollment process includes a discounted custom bundle from security maker Yubico that offers two hardware security keys for $68, including the YubiKey C NFC and YubiKey C Nano. Security keys from other vendors are also supported.

(Credit: Yubico)

OpenAI designed the mode for “people at increased risk of digital attacks,” which could include government officials, corporate executives, researchers, and human rights activists. The Advanced Account Security works by making a user’s account resistant to phishing messages, password guessing, and SIM swap attacks, which is how hackers usually crack online accounts. 

The new security mode dumps the traditional login option via email address and passwords, which hackers can steal to break in. In addition, OpenAI’s advanced security mode disables the account recovery route through email and text-based SMS codes, which can also be phished.

Users must instead login through a hardware key—a physical USB device—or a software-based passkey, which resides on a device, whether it's a PC or smartphone. Neither security system can be stolen through a remote digital hack, making them a more secure alternative to traditional passwords.  

(Credit: Kim Key/PCMag)

The new security mode is similar to Google’s Advanced Protection Program, which dates back to 2017 and required users to own two hardware security keys (one Bluetooth, one USB) before the company expanded support for passkeys. Google introduced the program over a year after Russian state-sponsored hackers used a spear-phishing email attack to break into the Gmail account of John Podesta, chair of Hillary Clinton’s 2016 presidential campaign. 

OpenAI says its advanced security program is not a response to a hacking incident but intended to preempt future threats. Both ChatGPT and OpenAI's coding product, Codex, have been gaining wide-scale adoption and can handle sensitive details, including users’ personal chats and confidential work projects. “For some people, like journalists, elected officials, political dissidents, researchers, and those who are especially security-conscious, the stakes are even higher,” OpenAI notes.

Recommended by Our Editors

I Used ChatGPT to Build Complex Spreadsheets Fast. Here’s How You Can, Too

GitHub Copilot Costs Skyrocket As Users Are Pushed to Per-Token Billing

Anthropic Moves to Go Public Ahead of OpenAI

(Credit: OpenAI)

Of course, the new security mode comes with some trade-offs, especially for account recovery. OpenAI’s Advanced Account Security is so locked down that the company itself won’t be able to recover your account if you lose the hardware security keys or passkeys. That’s why its enrollment process requires you to use at least two hardware security keys, or one hardware security key and one software-based passkey, with the extra key serving as a backup.

Users can also enroll with two software-based passkeys, but one of them must be synced to the cloud via Google Password Manager or Apple’s iCloud Keychain. 

For account recovery, OpenAI will issue backup recovery keys during enrollment. These strings of digits are meant to be stored in a safe place, enabling the user to recover their account on their own if all security keys and passkeys are lost. 

Another notable trade-off is that “sign-in sessions are shortened to reduce the window of exposure if a device or active session is compromised,” the company says. So you’ll probably need to log back in more frequently. OpenAI notes the security key bundle includes the YubiKey C Nano, which is "designed to stay in your laptop for simple, low-friction daily authentication." Logging back in with a passkey is also easy, since it's saved on the device.

(Credit: Yubico)

Advanced Account Security doesn't totally eliminate all hacking threats. For example, while a malware infection can't steal a passkey, let alone a hardware security key, the attack could still pave the way for a hacker to remotely hijack a computer, including its browser sessions. Another obvious attack vector is if your computer is stolen or seized by government authorities.

Perhaps in response, OpenAI's new security mode lets you review and manage all active sessions across your account, giving you a way to see and disconnect devices that’ve logged in to your account. Users will also receive alerts when someone logs in to their account. In addition, Advanced Account Security automatically opts users out of exposing their data to AI model training, which can also be switched off by going to Settings > Data controls. 

(Credit: OpenAI)

If Advanced Account Security proves to be inconvenient, users can deactivate the feature. OpenAI also lets users pick and choose which extra safeguards they adopt; ChatGPT offers passkeys, hardware security key support, and multi-factor authentication in account settings.