Secure accounts with Advanced Account Security
TL;DR
Users can now enable stricter sign-in requirements, including passkeys and physical security keys. This mode disables weaker recovery paths like SMS codes to prevent account takeovers.
## What changed OpenAI rolled out Advanced Account Security on April 30, 2026 as an optional setting for personal ChatGPT accounts. The feature requires passkeys or physical security keys for sign-in and disables password login, email or SMS codes, and email-based recovery.
It adds recovery keys, shorter session times, login notifications, and session controls. Users must keep their recovery keys and enrolled keys safe, since losing all access methods can permanently lock them out of the account.
## Why it matters This change raises the bar for account protection at a time when many builders store prompts, files, and connected data inside ChatGPT. It directly reduces easy takeover paths that still work on most consumer accounts.
The trade-off is clear: stronger security means fewer recovery options if something goes wrong. Solo operators who rely on quick resets or shared devices will feel the friction first.
## How to use it Go to ChatGPT settings on web, find the Advanced Account Security toggle, and enable it. Set up a passkey or compatible hardware key during the process and immediately save the provided recovery keys.
The setting is available only for personal accounts, not Business, Enterprise, or Edu workspaces. Test sign-in from your usual devices before relying on it for daily work.
## Watch for Confirm the bet if OpenAI adds recovery options that still avoid SMS while remaining usable. The feature breaks if too many users lose access and complain loudly. Expect similar controls to appear in the Business plan next.
Harsh’s take
Most Vibe Builders treat ChatGPT like a notebook and a database at once. Leaving that account open to SMS hijacks is now an obvious risk. Advanced Account Security removes the easy exits but forces you to treat the account like production infrastructure.
The real cost is operational overhead. You need a hardware key or reliable passkey manager, plus a safe place for recovery codes. Skip either step and you can lose months of custom instructions and file history in one go.
Do this now: enable the setting on your main account, store the recovery keys offline, and move any shared team workflows to a separate Business workspace that still allows simpler recovery.
by Harsh Desai
About ChatGPT
View the full ChatGPT page →All ChatGPT updatesGo deeper
More AI news
- FeatureHermes Agent verifies work with completion contracts and evidence ledgers
Hermes Agent records verification evidence for coding tasks. The /goal command uses completion contracts to judge success against test runs rather than model assertions.
- FeatureCursor adds cloud agent management to the Agents window
Cursor sets up cloud development environments in under 10 minutes, spins up isolated cloud subagents using /in-cloud, and hands off sessions between local and cloud.
- FeatureCursor introduces /automate skill for automating repetitive tasks
Cursor's new /automate skill creates automations from plain language. Workflows trigger via Slack emojis or GitHub events while cloud agents access virtual computers.