ZCyberNews
中文
Industry NewsMedium2 min read

OpenAI Strengthens ChatGPT Login Security With New Controls

OpenAI rolls out Advanced Account Security for ChatGPT: mandatory passkeys, shorter sessions, and account recovery changes. Affects all users globally.

OpenAI Strengthens ChatGPT Login Security With New Controls

Executive Summary

OpenAI has introduced a new set of security controls for ChatGPT accounts, collectively branded as Advanced Account Security, according to a company announcement reported by SecurityWeek. The update mandates passkey-based authentication, enforces shorter session durations, and tightens account recovery procedures. The changes come amid rising credential-stuffing attacks targeting AI service accounts, which attackers use to gain free API access or exfiltrate conversation histories.

Technical Analysis

Advanced Account Security requires users to register a passkey (FIDO2/WebAuthn) before they can log in from new devices or browsers. Once enrolled, the system will reject password-only logins for those accounts. Session timeouts have been reduced from the previous default of 30 days to a maximum of 7 days, and users can configure even shorter windows. Account recovery now requires both email verification and passkey confirmation, closing a vector where attackers could reset passwords via compromised email inboxes alone.

OpenAI also added an option to exclude account data from model training, which is toggled on by default for accounts enrolled in Advanced Account Security. The feature is rolling out gradually to all ChatGPT users, including free-tier, Plus, Team, and Enterprise subscribers. The company did not disclose whether the changes were prompted by a specific incident, but credential-stuffing attacks against AI platforms have been documented by multiple threat intelligence firms since early 2026.

Mitigations & Recommendations

ChatGPT users should enable Advanced Account Security immediately when prompted. Those who have not yet received the option should manually configure two-factor authentication (TOTP or SMS) in their account settings as an interim measure. Organizations using ChatGPT Enterprise should audit their SSO configurations to ensure compatibility with the new passkey requirements. Users should also review active sessions and revoke any unrecognized logins.

Stay Updated

Get the latest cybersecurity news delivered to your inbox.

Tags:#openai#chatgpt#account-security#passkeys#credential-stuffing#authentication

Related Articles

OpenAI Breached in TanStack Supply Chain AttackHIGH
Industry News

OpenAI Breached in TanStack Supply Chain Attack

OpenAI says two employees' devices were compromised in the TeamPCP Mini Shai-Hulud campaign, forcing rotation of code-signing certificates across macOS, Windows, iOS, and Android.

3 min readTeamPCP
SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks in ThreatsDayHIGH
Industry News

SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks in ThreatsDay

Fake cell towers blast scam texts; OpenEMR flaws expose patient data; 600,000 Roblox accounts hacked via credential stuffing. A busy week in cyber threats.

2 min read
DORA Mandates Credential Management as Financial Risk ControlHIGH
Industry News

DORA Mandates Credential Management as Financial Risk Control

EU's DORA Article 9 legally requires financial firms to enforce authentication and access controls. A breach at a UK bank shows the cost of non-compliance.

2 min read