OpenAI announced today that it’s finally adding some serious account security options for ChatGPT users, including a partnership with Yubico to support hardware security keys.
This is one of those moves that makes you wonder what took so long. ChatGPT has been a prime target for account takeovers since day one, and the existing SMS-based two-factor was better than nothing but not much better. Hardware keys are genuinely phishing-resistant.
The new features are opt-in, which is both good and bad. Good because not everyone wants to deal with a physical key or even knows what one is. Bad because most people won’t bother enabling it, and the accounts that get compromised are usually the ones with the weakest protection.
Yubico’s YubiKeys are the gold standard here. If you’ve ever used one for Google or GitHub, you know the drill: plug it in, tap it, done. No codes to type, no SIM swap risk. OpenAI says the integration works with FIDO2 and WebAuthn, so it should play nice with most modern browsers and password managers.
But here’s the catch: this is only rolling out to paying customers first. Free tier users? You’ll get app-based two-factor eventually, but the hardware key support is strictly for ChatGPT Plus, Team, and Enterprise accounts. I get the business rationale — enterprise customers have been screaming for this — but it still feels like a missed opportunity to protect everyone.
The timing is interesting. We’ve seen a wave of AI account thefts over the past year, with attackers using stolen credentials to run up API bills or access private conversations. A hardware key won’t stop every attack, but it would have prevented most of the high-profile ones I’ve read about.
OpenAI also mentioned improved session management and login alerts as part of this update. So even if you don’t buy a YubiKey, you’ll get better visibility into where your account is logged in. That’s a solid improvement on its own.
If you’re a Plus subscriber and you’ve been meaning to lock down your account, this is the push you needed. YubiKeys start around $25 for the basic USB-C model, and they work across dozens of services. I’ve been using one for years, and the only annoyance is remembering to carry it when I travel.
Will this stop sophisticated phishing campaigns? Partially. Will it stop the casual credential stuffing that’s been plaguing AI services? Almost certainly. For once, OpenAI is doing something security-forward instead of playing catch-up. Let’s hope this is the start of a trend, not a one-off.
Comments (0)
Login Log in to comment.
Be the first to comment!