OpenAI announced ‘Advanced Account Security’, an opt-in setting for ChatGPT accounts aimed at users facing higher risks of digital attacks on April 30, 2026. The feature consolidates stronger account protections and applies across ChatGPT and Codex accounts under the same login. It removes traditional password-based logins and SMS or email-based recovery, replacing them with phishing-resistant methods.
How advanced security works
- Passwordless sign-in: Users must authenticate using passkeys or physical security keys, with password-based logins disabled entirely.
- No SMS or email recovery: The system removes conventional recovery methods to reduce the risk of compromised phone numbers or email accounts.
- Stronger recovery tools: Users can restore access only with backup passkeys, security keys, or recovery keys. OpenAI Support does not assist with recovery in this mode.
- Shorter sessions: Login sessions are deliberately shortened to limit exposure if a device is compromised.
- Session visibility: Users receive alerts for logins and can view and manage active sessions across devices.
- Automatic training exclusion: Advanced Account Security ensures that OpenAI does not use conversations from these accounts for model training.
Partnership with Yubico: The AI company has partnered with Yubico to support hardware-based authentication through security keys. They will offer a customised bundle of YubiKeys at preferred pricing. While the partnership launches alongside Advanced Account Security, the hardware bundle will be available more broadly to eligible users. The system also supports other Fast Identity Online (FIDO) compliant security keys and software-based passkeys.
Why this matters: India has 100 million weekly active ChatGPT users, making it one of the company’s largest global markets, OpenAI CEO Sam Altman said in February 2026. This is a user base that includes journalists, researchers, and government officials for whom account security is not theoretical. These are precisely the groups OpenAI says it designed this feature for. In India, they face documented risks: the country has seen Pegasus spyware used against journalists and activists, and account compromise via phishing is a recognised threat.
The timing also aligns with a broader regulatory shift. The Reserve Bank of India’s (RBI’s) new authentication directions for digital payments, effective April 2026, mandate moving away from SMS OTPs toward stronger verification methods, signalling a broader move away from passwords and OTPs.
Also read
- ‘Stealer Logs’ & ‘Credential Stuffing Lists’ Data Breach Leaks 183M Email Passwords
- Reddit to Label Bots, Tighten Checks on Suspicious Accounts
- OpenAI releases child safety policy framework recommendations to combat AI-enabled CSAM
For You
- Read Reasoned by Nikhil Pahwa: How AI is changing our world
- Sign up for MediaNama's Daily Newsletter to receive regular updates
- Sponsor a MediaNama Event





















