By removing passwords from the login process, the brand-new passwordless authentication for OpenAI services effectively mitigates the risk of credential theft.
Securing ChatGPT with this option will also automatically give Codex the very same top-tier security. So coding projects and agent sessions stay safe.
OpenAI's Advanced Account Security for high-level researchers and critical cyber defenders to prevent sophisticated account takeovers is a mandatory requirement
OpenAI took a major step toward security by removing password barriers at login. The change to a passwordless login focuses on FIDO2 standards, including passkeys and hardware keys like YubiKeys, which turn AI chats and code into a 'digital vault'.
Traditional Passwords can be guessed or stolen through phishing, whereas hardware-backed credentials require a physical device or biometrics for access. This tutorial explains the enrollment procedure to secure ChatGPT and Codex accounts.
Enrollment is via the web interface, and the resulting security features will work anywhere users access their OpenAI accounts.
The first step is to visit the official website. Click the profile icon in the lower-left corner and choose Settings. After that, click the Security tab and find the Advanced Account Security section. Hit the 'Enroll' or 'Set Up' button to start the three-step guided wizard.
OpenAI requires users to have either two software-based passkeys (synced via iCloud or Google) or a mix of software passkeys and hardware keys. When signing up, users will get a message, 'Add a Security Key. ' For mobile users, passkeys may be generated with Face ID or Touch ID. For stronger protection, a physical USB or NFC security key can add an extra layer of authentication, ensuring account access remains secure even if a phone gets lost or stolen.
One of the most important components of a passwordless authentication system is the generation of recovery keys. Since OpenAI disables traditional email and SMS recovery features to prevent SIM-swapping, recovery codes become the only way to regain access to the account if connected devices are lost. Storing them securely on paper or inside a physical safe is strongly recommended. After verification, the old password is removed, making the account fully passwordless.
Adopting a passwordless login system not only brings convenience but also several other advantages.
Without a password to enter, no one can be fooled by malicious sites into 'logging in' to steal credentials.
Removing SMS-based recovery means user accounts remain safe even if SIM-swap crimes become widespread.
Users who sign up for Advanced Account Security in 2026 will be automatically prevented from having their accounts used for AI model training, which is a great privacy feature.
These users have shorter session windows, so even if the device is left unattended, the risk of unauthorized access is minimal.
Also Read: How Will Biometrics and Crypto Keys Enable Passwordless Security?
Passwordless login is definitely the strongest and smartest way to protect intellectual property. Activating passwordless login in ChatGPT and Codex avoids simple text strings that can be very easily hacked and moves toward a hardware-backed security approach.
Although users will be responsible for recovering their accounts, the biggest advantage of passwordless authentication comes from stronger protection against phishing attacks and credential theft. Enabling the feature improves both security and login speed while removing the need for traditional passwords.
1. Can I use the same password after turning this on?
You can't reuse your old password. Enrolling simply replaces your traditional email/password login with a secure account that is not susceptible to phishing.
2. What if I lose my phone and hardware key?
This is why OpenAI asks for a minimum of 2 keys (or a backup recovery code) at setup. Losing all keys and the recovery code means the account is unrecoverable even by support.
3. Is ChatGPT's passwordless login available on mobile?
Yes. Your phone's Face ID or Fingerprint can be your passkey, so you can log in without a password even when you're on the move.
4. Can this keep my Codex API keys safe?
The login authentication safeguards the account used to manage Codex and its related repositories. But the account owner remains responsible for securing your individual API secret keys using standard environment-variable measures.
5. Is there a charge for passwordless authentication?
Software-based passkeys are provided at no charge. Still, if you go with hardware security keys, you have to buy them separately (OpenAI is known to offer discounted hardware key bundles to enrolled users).