The company that trained the world to talk to AI is finally admitting those conversations might be worth stealing.
The Summary
- OpenAI is launching Advanced Account Security, an opt-in feature offering phishing-resistant login, enhanced recovery protocols, and protections against account takeover for ChatGPT and Codex users.
- The rollout includes a partnership with Yubico, the security key provider, signaling OpenAI is targeting users who handle sensitive data or face elevated threat profiles.
- The feature is designed for "at-risk" accounts concerned about phishing attacks, a tacit acknowledgment that AI chat histories now contain IP, strategy, and competitive intelligence worth protecting.
The Signal
OpenAI has spent two years convincing developers, executives, and creative professionals to treat ChatGPT like a thinking partner. Now it's dealing with the consequence: those chat logs are treasure maps. Advanced Account Security targets users who've realized their prompts contain more value than their passwords.
The core feature is phishing-resistant authentication. That means hardware keys, biometrics, or cryptographic proof you are who you say you are, not just someone who knows your password. The partnership with Yubico is the tell. Yubico makes physical security keys used by Fortune 500 IT departments and journalists in authoritarian countries. This isn't consumer-grade 2FA. It's the kind of protection you use when account compromise means operational risk.
"This is the kind of protection you use when account compromise means operational risk."
OpenAI frames the rollout around preventing account takeover and safeguarding sensitive data. Translation: someone, somewhere, is already phishing ChatGPT accounts at scale. The timing matters. ChatGPT has 200 million weekly active users. A meaningful percentage are now using it for work that would previously have lived in Google Docs, Slack, or internal wikis. Product roadmaps. Legal strategy. Competitive analysis. Code that hasn't shipped yet.
Codex users get the same protections. That's notable. Wired highlights the inclusion of Codex, OpenAI's code-generation tool used by developers building production software. A compromised Codex account doesn't just leak chat history. It could expose unreleased features, API architectures, or proprietary algorithms. For companies building on OpenAI's infrastructure, that's existential.
Key elements of Advanced Account Security:
- Phishing-resistant login methods (hardware keys, biometric authentication)
- Stronger account recovery protocols to prevent social engineering takeovers
- Enhanced data protections for chat logs containing sensitive information
The opt-in structure is interesting. OpenAI isn't forcing this on everyone. They're betting a subset of users, those handling high-value prompts or operating in high-threat environments, will self-select. That's smart positioning. It avoids the backlash of making login harder for casual users while giving enterprise and government customers a clear signal: we know your threat model is different.
The Implication
If you're using ChatGPT or Codex for anything beyond weekend poetry, turn this on. The delta between "I use AI for brainstorming" and "I use AI for strategic planning" collapsed faster than most companies realized. Your chat history is now part of your attack surface.
For OpenAI, this is table stakes for the agent economy. If autonomous agents are going to manage calendars, write code, and negotiate contracts on your behalf, their authentication can't rely on passwords. Hardware-based, phishing-resistant auth is the foundation. Watch for this feature to become mandatory for API users and enterprise customers within 12 months.