OpenAI has introduced a significant security upgrade for ChatGPT accounts, partnering with digital security provider Yubico to launch co-branded YubiKeys. This move addresses the growing threat of phishing attacks targeting chatbot users worldwide.
OpenAI Advanced Account Security: A New Layer of Protection
On Thursday, OpenAI announced Advanced Account Security (AAS), a set of opt-in protections designed for high-value individuals. The program is available to any ChatGPT user who wants stronger security. AAS includes hardware-based authentication through YubiKeys, small USB devices that provide cryptographic verification.
Yubico CEO Jerrod Chong stated in a press release: "Ultimately, our intent is to drastically reduce the threat of unauthorized access to sensitive data in OpenAI accounts worldwide." The partnership aims to protect users from phishing, a growing risk for chatbot users who share sensitive information in conversations.
The two companies released a pair of co-branded YubiKeys: the YubiKey C NFC and the YubiKey C Nano. These devices plug into a computer's USB port and store a unique cryptographic identifier. Only the person holding the key can log into the connected account.
Who Benefits from Advanced Account Security?
OpenAI suggests AAS is ideal for political dissidents, journalists, researchers, and elected officials. These individuals often engage in politically charged work and face higher security risks. Enterprise users also stand to benefit, as corporate secrets stored in ChatGPT sessions need robust protection.
The announcement follows a growing trend in the AI industry toward better digital security. Several weeks ago, Anthropic launched a new cybersecurity model called Mythos. OpenAI has also introduced a new framework for digital defense, aiming to stay ahead of competitors. The new feature was created in response to how people are increasingly using ChatGPT to handle more sensitive and high-stakes tasks.
"People are turning to AI for deeply personal questions and increasingly high-stakes work. Over time, a ChatGPT account can hold sensitive personal and professional context, and sit at the center of connected tools and workflows," OpenAI said in a statement. "For some people, like journalists, elected officials, political dissidents, researchers, and those who are especially security-conscious, the stakes are even higher."
How YubiKeys Protect Against Phishing
Security keys like YubiKeys offer strong protection against phishing attacks. Unlike passwords, which can be stolen or guessed, a hardware key requires physical possession. This makes it nearly impossible for remote attackers to gain access.
When a user logs into ChatGPT with a YubiKey, the device generates a unique cryptographic signature. The server verifies this signature, ensuring only the authorized user can access the account. This process blocks phishing attempts that trick users into entering passwords on fake websites.
Phishing attacks targeting chatbot users are on the rise. Cybercriminals seek extortion-worthy information from conversations. Given the intimate nature of many ChatGPT interactions, both personal and enterprise users face significant risks. In 2024, security firms reported a 300% increase in AI-related phishing attempts.
Trade-offs: Security vs. Convenience
While hardware keys offer stronger security, they come with trade-offs. If a user loses their YubiKey, OpenAI cannot help recover account access. This means conversations stored in ChatGPT could be lost permanently. Users must store backup keys in safe locations.
Yubico recommends keeping a spare key in a secure place, such as a safe deposit box. This ensures access even if the primary key is lost or damaged. Despite these risks, many security experts recommend hardware keys for high-value accounts. The protection they offer outweighs the inconvenience of managing physical devices.
The Advanced Account Security setting removes email and SMS recovery options entirely. Enrolled accounts are automatically excluded from model training, providing an additional privacy benefit.
How to Set Up Advanced Account Security
Enabling AAS on ChatGPT is straightforward. Users need a compatible YubiKey, which can be purchased from Yubico's website or authorized retailers. The setup process involves linking the key to the ChatGPT account through the security settings.
OpenAI said it will offer a discount on a bundle that includes two keys for everyday use and backup. Users can also use other FIDO-compliant security keys or software-based passkeys. Sign-in sessions are shortened to limit exposure if a device is compromised. Users receive alerts for logins and can review active sessions across devices.
Future of AI Security
OpenAI's announcement signals a shift toward hardware-based security in the AI industry. Other companies may follow suit, partnering with security providers to offer similar protections. The Advanced Account Security rollout also includes changes for users in OpenAI's "Trusted Access for Cyber" program, which provides access to more capable and permissive models. Members of the program will be required to enable Advanced Account Security starting June 1. Organizations can instead confirm they use phishing-resistant authentication through single sign-on systems.
"Privacy and security are foundational to how we build all of our products and we'll continue investing in protections that give people more control and stronger safeguards over time," OpenAI wrote. "We expect to extend this work to additional audiences, including enterprise environments, where stronger account security can matter just as much."
