OpenAI Introduces Passwordless Security for ChatGPT

A Move Toward Phishing-Resistant Authentication

OpenAI has rolled out “Advanced Account Security” (AAS) for ChatGPT, replacing traditional password-based logins with passkeys and hardware authentication. This shift directly targets phishing and credential-theft attacks, which remain the primary cause of account breaches across digital platforms.

Security Architecture and Key Changes

The new system requires users to configure at least two independent authentication methods, such as device-based passkeys and physical security keys. Unlike conventional setups, AAS removes password entry entirely and disables weak recovery methods like email or SMS resets. Account recovery is only possible through pre-configured backup credentials, significantly reducing takeover risks.

Partnership with Yubico

To strengthen this model, OpenAI has partnered with Yubico to support YubiKey-based authentication. These hardware keys use cryptographic verification and require physical presence, making remote attacks nearly impossible. Similar implementations in enterprise environments have shown near-zero phishing success rates after adoption.

Trade-Off and Industry Context

The system introduces a strict trade-off: once enabled, OpenAI cannot recover lost accounts, eliminating social engineering risks but increasing user responsibility. The rollout aligns with a broader industry shift toward zero-trust security as AI platforms become repositories of sensitive workflows and data.