OpenAI Introduces Advanced Account Security Feature for ChatGPT Users – Optional Passkey & Training Opt‑Out
What Happened — OpenAI launched “Advanced Account Security,” an opt‑in suite of four controls that require a passkey or hardware security key, enforce stronger account‑recovery methods, shorten active login sessions, and disable the use of user chats for AI model training. The feature is aimed at security‑conscious individuals but is available to any ChatGPT user.
Why It Matters for TPRM —
- Strengthened authentication reduces the risk of credential‑theft attacks on a widely used SaaS platform.
- Disabling data‑for‑training limits inadvertent exposure of proprietary or regulated information shared with the model.
- The optional controls create a new security baseline that third‑party risk assessments must verify when evaluating OpenAI as a service provider.
Who Is Affected — SaaS/AI platform providers, enterprises that embed ChatGPT into workflows, and any organization that permits employees to interact with ChatGPT for business purposes.
Recommended Actions —
- Review OpenAI’s security documentation and confirm whether the Advanced Account Security settings are enabled for your organization’s accounts.
- Update internal access‑policy to mandate passkey or hardware‑key usage for privileged users.
- Adjust data‑handling procedures to account for the default training opt‑out and verify that any required model‑training consent is documented.
Technical Notes — The feature adds a WebAuthn‑based passkey flow, supports FIDO2 security keys (e.g., YubiKey C NFC/Nano), enforces multi‑factor recovery, reduces session TTL, and toggles a “no‑training” flag on user conversations. No new CVEs are disclosed. Source: ZDNet Security – ChatGPT Advanced Account Security