In a proactive move to fortify user accounts against potential cyber threats, OpenAI has introduced a new feature called Advanced Account Security. Announced on Thursday, this enhancement aims to provide an additional layer of protection for users of ChatGPT and Codex, significantly complicating the likelihood of account takeover incidents.
The initiative aligns with ongoing trends in cybersecurity where enhanced protective measures are becoming critical. Similar strategies have long been utilized by technology giants like Google through their Advanced Protection program. As artificial intelligence technologies gain ubiquitous adoption, the demand for robust security protocols is increasingly urgent. OpenAI asserts that this implementation forms part of a comprehensive cybersecurity strategy it revealed earlier this month.
As OpenAI notes, “People are turning to AI for deeply personal questions and increasingly high-stakes work.” The concern deepens for specific user groups—such as journalists, political figures, researchers, and those with heightened security needs—who may face larger implications should their accounts be compromised.
Users opting for Advanced Account Security will be required to forgo traditional passwords for their accounts. Instead, they must set up two physical security keys or passkeys, effectively minimizing vulnerability to phishing attacks. Notably, the option for recovery through email or SMS has been removed; users are instead required to utilize recovery keys, backup passkeys, or physical security tokens. In a bid to facilitate adoption, OpenAI has partnered with Yubico to offer budget-friendly YubiKey bundles to users opting for this security level.
Courtesy of OpenAI
A critical aspect of the Advanced Account Security feature is that once activated, users will no longer have access to OpenAI support for account recovery. This design ensures that support cannot be manipulated through social engineering, thereby reducing the potential entry points attackers could exploit. Such measures highlight the need for organizations to implement stronger verification practices in the face of persistent and evolving cyber threats.
Furthermore, Advanced Account Security introduces shorter sign-in sessions, necessitating users to log in more frequently. Each time a login occurs, users will receive notifications, enabling them to monitor active sessions on their accounts. For users already concerned about data privacy, opting out of having their conversations utilized for model training is automatically set for those who enable this enhanced security feature.
OpenAI’s Trusted Access for Cyber program, which provides cybersecurity experts and researchers early access to new technological models, will mandate the activation of Advanced Account Security by June 1. Alternatively, participants can attest to employing phishing-resistant authentication via enterprise-specific single sign-on solutions.