ChatGPT Advanced Account Security: Passkeys, Recovery Keys, and the Lockout Tradeoff

Updated May 18, 2026. Stronger account security is only useful when recovery has been planned with the same care. Advanced Account Security can reduce account takeover risk, but it also raises the cost of losing access to trusted devices and recovery material.

The Sign-In Model Changes

Advanced Account Security is an optional setting for eligible consumer ChatGPT accounts. OpenAI says it strengthens sign-in protections, tightens recovery, reduces exposure from compromised sessions, and gives users more visibility into account activity. The protection applies to ChatGPT and Codex accounts that use the same login.

The biggest change is the sign-in method. Instead of relying on a password, the setting requires passkeys or physical security keys. These are harder to phish because the sign-in method is tied to a trusted device, browser, platform account, or hardware key rather than a code someone can trick you into sharing.

Once enabled, several standard recovery paths are disabled. Password sign-in is turned off. Email and SMS sign-in codes are turned off. Email account recovery is turned off. That matters because attackers often try to compromise an email inbox or phone number first, then use recovery flows to take over more valuable accounts.

OpenAI also says enrolled users receive login alerts, can review active sessions, and may have shorter sessions so a stolen or unattended device has less time to stay useful to someone else. Conversations from accounts with Advanced Account Security enabled are not used to train OpenAI models, according to the company's help documentation.

Good Candidates For The Stricter Mode

This setting makes the most sense for people whose ChatGPT account contains sensitive work, personal context, or access to connected tools. Journalists, researchers, public officials, political activists, security-conscious professionals, creators with private business planning, and developers using Codex may have more at stake than a casual user.

It can also be useful for anyone who has reason to worry about phishing. If you have reused passwords in the past, manage confidential projects, travel often, or sign in across several devices, stronger authentication can reduce the damage from a stolen password or a convincing fake login page.

OpenAI also says individual members of Trusted Access for Cyber who use its more capable cyber models will be required to enable Advanced Account Security beginning June 1, 2026, unless an organization with trusted access attests to phishing-resistant authentication through single sign-on. That requirement shows how OpenAI is treating stronger account protection as part of the safety model for more sensitive tools.

When Waiting Is The Safer Choice

Advanced Account Security is not available for every account. OpenAI's help page says it is not available for ChatGPT Enterprise users, enterprise-managed accounts, or accounts associated with an enterprise-managed domain. Availability for workspace-linked accounts can depend on account configuration. If the option does not appear under Settings and Security, the account may not be eligible yet.

Some people should also wait even if the setting appears. If you do not understand where your passkeys are stored, do not have access to a second secure sign-in method, or do not have a safe place to store recovery keys, enabling the feature may be premature.

The most important recovery warning is simple: if you lose all sign-in methods and recovery keys, you may lose access to the account. OpenAI says its support team can explain available options, but cannot use standard email recovery, reset the password, remove Advanced Account Security, or add new sign-in methods to restore routine access while the feature is enabled.

Recovery Preparation Before Enrollment

Before enabling Advanced Account Security, prepare the recovery path first.

Set up at least two secure sign-in methods.
Make sure at least one method works across devices.
Save the recovery keys in a secure place before finishing enrollment.
Confirm you know how to access your passkeys or security keys from both desktop and mobile.
Review where you are currently signed in.
Keep one trusted browser or device available while you complete setup.
Avoid enabling the feature during travel, device migration, or email account recovery.

OpenAI's examples include a passkey plus a compatible hardware security key, two compatible passkeys if at least one works across devices, or two compatible hardware security keys. A passkey saved only on one device may not satisfy the cross-device requirement.

During enrollment, some users in the United States, United Kingdom, and European Union may see an option related to YubiKeys. OpenAI says YubiKeys are optional and that users can use any FIDO-compatible security key or passkeys that meet the setup requirements. If a hardware key is involved, support for the key itself is handled by the key provider, not OpenAI.

Threats Outside The Login Flow

Advanced Account Security reduces several account takeover paths, but it does not make every security problem disappear.

It does not protect a device that is already fully compromised. If malware can see what you see or control the browser after you sign in, stronger login protection is only one layer. It also does not replace basic email security, device updates, browser hygiene, or careful handling of connected apps.

It also does not remove the need to respond to suspicious activity. OpenAI's help center says suspicious activity alerts can be triggered by unusual sign-in behavior, sudden spikes in activity or settings changes, or multiple concurrent sessions. Those alerts do not always mean wrongdoing, but they are a signal to review the account.

If you see an alert, OpenAI recommends changing the password, enabling two-factor authentication where applicable, and logging out of all devices. If restrictions continue, the help page suggests steps such as signing out and back in, clearing cookies and cache, trying another browser or device, disabling VPN or proxy tools during troubleshooting, and using one trusted device and network.

The Decision Rule

Enable Advanced Account Security if the account is important enough that phishing-resistant sign-in and stricter recovery are worth the extra responsibility. Wait if you are not ready to manage backup methods and recovery keys.

The tradeoff is not convenience versus security in a simple way. It is weaker recovery with stronger protection. That can be exactly right for a high-risk user, but it can be frustrating for someone who often loses devices, changes phones without planning, or relies on email recovery as a safety net.

For most readers, the best first step is to review account hygiene before turning on the advanced mode. Use a unique password, secure the email account connected to ChatGPT, review active sessions, remove devices you no longer use, and make sure your browser and operating system are current. Then decide whether the stricter recovery model fits your risk level.

FAQ

Is Advanced Account Security available to everyone?

No. OpenAI says it is available for eligible personal ChatGPT accounts in supported regions. It is not available for ChatGPT Enterprise users, enterprise-managed accounts, or accounts linked to an enterprise-managed domain.

Do I need a physical security key?

Not necessarily. OpenAI says users can use passkeys, compatible FIDO security keys, or a combination that satisfies the setup requirements. A hardware key is optional.

Can OpenAI recover my account if I lose everything?

OpenAI's help page says support can explain available options, but standard email recovery is not available while Advanced Account Security is enabled. Support cannot reset the password, remove the feature, or add sign-in methods to restore ordinary access.

Does this affect model training?

According to OpenAI's help documentation, conversations from accounts with Advanced Account Security enabled are not used to train OpenAI models while the setting is active.

Should I enable it immediately after seeing a suspicious activity alert?

Not before stabilizing the account. First follow the basic recovery steps: change the password, review active sessions, sign out of devices you do not recognize, and secure the email account. Then consider whether Advanced Account Security is appropriate.