FTC Disclosure: This article contains no affiliate links. TechSifted earns no commission from anything referenced in this piece.
I was poking around ChatGPT's settings last week when I found a section I hadn't noticed before: Advanced Account Security. The label wasn't flashy. Easy to scroll past.
But it's a meaningful change. OpenAI announced on April 30th, 2026, that ChatGPT and Codex users can now replace their password entirely with passkeys or hardware security keys. No more passwords. No SMS codes. Just a tap or a physical device — and OpenAI can't undo it if you lose access.
That last part is both the point and the thing you need to understand before you touch any of this.
What is a passkey, exactly?
Skip this if you already know. If you don't, it's worth two minutes.
A passkey is a cryptographic credential stored on your device. Your phone or computer generates a unique key pair when you register: one part stays on your device, the other goes to the website. When you log in, your device proves it holds the private key without ever transmitting it. The site verifies you. Done.
No password gets sent. No password gets stored on OpenAI's servers to be leaked.
This matters because it breaks the two most common attack vectors. Phishing doesn't work — a fake ChatGPT login page can't steal what's never transmitted. Credential stuffing — where hackers take a leaked password from one site and try it on others — can't touch you either. There's nothing to stuff.
Passkeys live in your device's secure enclave. Face ID or your fingerprint unlocks them. They sync across your devices if you're in Apple's or Google's ecosystem, or across everything if you use a password manager like 1Password or Bitwarden that supports passkeys.
A hardware security key is the physical version. It's a small USB or NFC device — YubiKey is the brand most people know — with the cryptographic hardware built in. You tap or plug it in to authenticate. If it's not physically in your hand, someone can't log in as you. Full stop.
What OpenAI actually shipped
The feature is called Advanced Account Security. It's opt-in, available globally for personal ChatGPT and Codex accounts (not enterprise plans — those are separate).
Here's what it does once you enroll:
- Removes password login entirely — the password field is gone
- Disables SMS and email one-time codes — those are more vulnerable than passkeys anyway
- Opts your account out of model training — your conversations won't be used to improve OpenAI's models while you're enrolled
- Sends login alerts every time someone (including you) signs into the account
- Adds a session management dashboard — you can see active sessions and revoke any that look wrong
To enroll, you need at least two authentication methods, and at least one has to work across devices. That means a passkey (passkeys sync; hardware keys generally don't). You can do: two passkeys, two hardware security keys with one being NFC-capable, or one passkey plus one hardware key.
OpenAI also launched a partnership with Yubico around this. They're selling a co-branded bundle of two YubiKey C NFC keys — one USB-C for your computer, one nano-size that stays in the port — for $68. Retail on those two would be about $126. If you want hardware keys and don't own any, that's the obvious starting point.
Who actually needs this
Honest take: not everyone.
If you use ChatGPT casually — recipes, drafts, random questions — your current login is fine. Enable regular two-factor authentication if you haven't already, but Advanced Account Security is engineered for higher-risk situations.
The people who genuinely need this:
Journalists, researchers, activists, elected officials. OpenAI was explicit about this. If you're storing sensitive sources, unpublished work, or anything that could create personal risk if exposed, this is built for you.
Anyone keeping real work inside ChatGPT. Confidential client information, proprietary research, business strategy conversations. If losing access to that context would hurt, stronger authentication is worth the setup.
Security-conscious users who just want the best available protection. Valid reason. It takes maybe 10 minutes.
One more group: OpenAI is making Advanced Account Security mandatory for users in its Trusted Access for Cyber program starting June 1, 2026. If that's you, you're already behind.
Read this before you do anything else
This is the part most coverage underplays, and it's the most important thing in this article.
If you lose your authentication methods and your recovery keys, OpenAI cannot get you back into your account.
Not "file a support ticket and wait." Not "takes a few weeks." They genuinely, structurally cannot help you. Your conversations, your custom GPT settings, your memory — gone.
This is intentional. The security model requires that OpenAI doesn't hold a backdoor to enrolled accounts. That's what makes it actually secure. But it also means account recovery is entirely your responsibility.
During enrollment, OpenAI generates single-use recovery keys. Treat them like the master password to a password manager — or better yet, like a crypto seed phrase. Options for storing them safely:
- Print them and put the paper somewhere physically secure (locked drawer, safe)
- Store them in a password manager separate from your main one
- Write them in a notebook you keep somewhere specific
And register two authentication methods, not one. The second one is your backup if your phone dies, your YubiKey gets lost, or your laptop's Face ID stops cooperating. One method is a single point of failure. Two is a safety net.
Don't skip this. I've seen people get locked out of accounts they couldn't recover. It's not a fun afternoon.
What you'll need before you start
Going with passkeys:
- iPhone (iOS 16 or later), Android device, or a computer with Windows Hello or macOS Touch ID
- Your OS keychain (iCloud Keychain, Google Password Manager) or a password manager that supports passkeys (1Password, Bitwarden, Dashlane)
- The ability to register two separate passkeys — different devices, different password manager accounts, or one of each
Going with hardware security keys:
- Two FIDO2-compatible keys (YubiKey 5 series, YubiKey C NFC, Google Titan, etc.)
- At least one needs to work across devices — so either a passkey as your second method, or an NFC-capable key for phones
Going mixed (one of each):
- One passkey on a device you control
- One FIDO2 hardware key
All three options require you to save the recovery keys OpenAI provides during setup. No exceptions.
Step-by-step: Setting up passkeys for ChatGPT
The most common setup. No hardware required.
Step 1: Log into ChatGPT
Go to chat.openai.com and log in however you currently do.
Step 2: Open Settings
Click your profile icon in the top-right corner. Select Settings from the dropdown.
Step 3: Navigate to Security
In the Settings sidebar, click Security. You'll see an "Advanced Account Security" section near the bottom.
Step 4: Add your first passkey
Click Add passkey. Your browser will prompt you to authenticate — Face ID, Touch ID, Windows Hello, or your password manager's passkey interface. Follow the prompts. The passkey gets registered.
Step 5: Add a second passkey
Click Add passkey again. This time, use a different device or a different account in your password manager. This is your fallback. Don't skip it.
Step 6: Save your recovery keys
OpenAI will display single-use recovery codes before finalizing enrollment. Save them somewhere offline. Screenshot them. Write them down. Both, ideally.
Step 7: Complete enrollment
Confirm the setup. Your password is now disabled. Email and SMS codes are disabled. Passkey login is active.
Next time you open ChatGPT, you'll tap through a passkey prompt instead of typing anything. Takes about two seconds.
Step-by-step: Setting up hardware security keys for ChatGPT
Same process, slightly different hardware steps.
Step 1-3: Same as above — log in, open Settings, go to Security.
Step 4: Add your first hardware security key
Click Add security key. When your browser prompts you, plug in your YubiKey (or tap it via NFC on your phone). Touch the gold disc on the key when it blinks — that's the confirmation tap. Your browser registers the key.
Step 5: Add your second method
This is where you have options. Add a second hardware key the same way, or add a passkey as your second method (recommended if one of your keys isn't NFC-capable, since you'll want something that works on mobile too).
Step 6: Save recovery keys
Same critical step. Don't skip it.
Step 7: Complete enrollment
Confirm and finish. Password login is gone. Hardware key authentication is active.
One practical note: keep your second key somewhere different from your first — different bag, different location at home. Two keys in the same backpack is two keys lost at the same time.
What changes after you enroll
Logging into ChatGPT now goes like this: you visit the site, click Sign in, and get a passkey or security key prompt. No password field. No code to look up. Two seconds and you're in.
Your account is opted out of model training for as long as you're enrolled. If that's something you've cared about — and plenty of people do — it's a real secondary benefit.
Login alerts start immediately. You'll get an email every time someone signs into your account, including you. If you log in from multiple devices regularly, expect those emails. The session management dashboard lets you see what's active and revoke anything unfamiliar.
The rest of ChatGPT doesn't change. Same features, same plan, same custom GPTs and memory. This only affects the front door.
Frequently asked questions
Can I go back to password login after enrolling?
Yes. You can unenroll from the same Security settings page. You'd need to reset your password since it was disabled during enrollment.
What if I lose the device that has my passkey?
That's why you have two methods. Log in with your second passkey or hardware key, then add a new passkey for your new device. If you've lost both methods, use a recovery key.
Does this work on the ChatGPT iOS and Android apps?
Yes. The mobile apps use the same authentication backend as the web version. Passkeys on iPhone use Face ID via iCloud Keychain.
How is this different from two-factor authentication?
Significantly different. Regular 2FA keeps your password and adds a second step (usually an SMS code). Advanced Account Security removes the password entirely and replaces the whole system. Passkeys are more phishing-resistant and more secure than any SMS-based method.
What if someone physically steals my YubiKey?
They'd still need to know which service to use it with and get to the login page. It's not automatic access. But if a key is stolen, unenroll immediately using a backup method or recovery key, then re-enroll with new keys.
My YubiKey is NFC — does it work with my iPhone?
Yes. NFC-capable YubiKeys (the C NFC model, for example) work with iOS. You tap the key to the back of your iPhone near the top. iOS recognizes it as a FIDO2 device.
The bottom line
Advanced Account Security is a real improvement, and it's good that OpenAI built it. Passkeys over passwords — no SMS codes, no OpenAI backdoor — is how high-stakes authentication should work.
The tradeoff is genuine: you own your account recovery completely. That's not carelessness on OpenAI's part. That's what actual strong security looks like. If you commit to storing recovery keys properly and maintaining two registered methods, what you get in return is an account that's significantly harder to compromise.
Casual users: regular 2FA is probably sufficient for now. But if you're storing anything sensitive in ChatGPT, or you're in a profession where account security isn't abstract — enable this. The setup took me about eight minutes. It's worth it.
For the full picture of what ChatGPT can do in 2026, our ChatGPT review covers everything from model capabilities to pricing. If you're using ChatGPT in a team context, the Workspace Agents launch is worth understanding too — it changed how shared AI workflows operate. And if you're thinking holistically about digital security beyond your accounts, our best VPN guide for remote workers covers the network layer that passkeys don't address.
Top comments (0)