OpenAI has introduced additional security protections for ChatGPT users, including a partnership with hardware security key provider Yubico. The company announced the new opt-in measures on Thursday, expanding account safety options beyond standard passwords and two-factor authentication via authenticator apps.

The initiative comes as OpenAI continues to scale its user base across consumer and enterprise markets. The new features are designed to address growing demand for stronger account security, particularly among high-risk users such as journalists, activists, and corporate clients handling sensitive data.

Yubico Partnership and Hardware Key Support

Under the partnership, ChatGPT users can now register YubiKey hardware security keys as a second factor for logging in. Yubico produces physical USB or NFC devices that generate unique cryptographic credentials for each login attempt, making them resistant to phishing and account takeover attempts that bypass SMS or app based codes.

Users who enable the new feature will see a prompt to insert or tap their YubiKey during the login process after entering their password. OpenAI stated that the integration supports FIDO2 and WebAuthn standards, which are widely adopted by major tech platforms including Google, Microsoft, and Apple.

The hardware key option is voluntary. Users who do not wish to purchase a physical device can continue using existing two-factor authentication methods, including authenticator apps or SMS codes.

Background on Security Expansion

OpenAI has been under pressure to improve account security following reports of compromised ChatGPT accounts being sold on dark web forums. In 2024, the company introduced mandatory two-factor authentication for some enterprise accounts and began rolling out session management tools allowing users to revoke active logins from unfamiliar devices.

The Yubico partnership represents the first time OpenAI has offered dedicated hardware security key support to its consumer ChatGPT users. Previously, hardware key functionality was limited to the company’s enterprise tier.

Industry Context

Hardware security keys are considered one of the strongest methods of account protection available. Unlike SMS codes or authenticator app tokens, physical keys cannot be intercepted remotely or tricked through fake login pages designed to capture one-time passwords.

Yubico’s YubiKey line is widely used in government, finance, and technology sectors. The company competes with other hardware security vendors such as Google’s Titan Security Key and Thetis.

Security researchers have consistently recommended hardware keys for individuals and organizations facing elevated risk of targeted phishing attacks. OpenAI’s adoption of the standard aligns with broader industry moves toward passwordless authentication.

How to Enable the New Feature

To use the hardware key option, ChatGPT account holders must first enable two-factor authentication in their account settings. After doing so, they can select “Security Key” as an additional verification method and follow prompts to register their YubiKey device.

OpenAI recommends that users register at least two keys to avoid being locked out in case one is lost or damaged. The company also advises users to keep backup recovery codes stored in a secure location.

The feature is available now for all ChatGPT users with a verified account, including those on the free tier. Enterprise customers retain access to additional security controls under their existing usage plans.

As of the announcement, no timeline has been provided for adding support for other hardware key vendors or implementing broader passwordless login options.

Source: OpenAI Blog