OpenAI Introduces Passkey‑Only Authentication for ChatGPT and Codex, Eliminating Passwords
What Happened — OpenAI launched “Advanced Account Security,” an opt‑in setting that removes password‑based sign‑in for ChatGPT and Codex accounts and replaces it with FIDO2‑compatible passkeys or hardware security keys. Email and SMS recovery flows are disabled; recovery relies solely on backup passkeys or security keys held by the user.
Why It Matters for TPRM —
- Reduces phishing‑related credential compromise risk for organizations that embed OpenAI models in critical workflows.
- Limits exposure of sensitive prompts and data by preventing password‑based attacks and by automatically excluding secured‑account conversations from model training.
- Shifts recovery responsibility to end‑users, requiring vendors to verify that their staff maintain secure backup credentials.
Who Is Affected — SaaS providers, research institutions, media outlets, NGOs, and any enterprise that uses ChatGPT or Codex, especially those with “Trusted Access for Cyber” privileges.
Recommended Actions —
- Review your organization’s OpenAI usage and confirm whether Advanced Account Security is enabled for all privileged accounts.
- Update internal IAM policies to require passkey or hardware‑key authentication for any third‑party AI services.
- Ensure backup passkeys are stored securely and that recovery procedures are documented.
Technical Notes — The feature leverages FIDO2 and WebAuthn standards; OpenAI partners with Yubico to offer discounted YubiKey bundles. Mandatory enrollment begins 1 June 2026 for Trusted Access for Cyber members; other organizations may attest to equivalent phishing‑resistant SSO. Source: Help Net Security