OpenAI Finally Adds Real Two-Factor to ChatGPT — With a Yubico Twist

OpenAI is finally doing something about the fact that ChatGPT accounts have been sitting on basic password security for way too long. Starting today, there are new opt-in protections, and the headline here is a partnership with Yubico — the company behind those little USB/NFC security keys that actual security-conscious people have been using for years.

Let’s be real: the timing makes sense. ChatGPT now handles sensitive business data, personal documents, and code that people would rather not leak. A password-only setup in 2026 is borderline negligent, especially when you’re sitting on a platform with hundreds of millions of users. So I’m glad they’re moving, even if it’s opt-in rather than mandatory.

What we’re getting:

• Hardware security key support via WebAuthn. That means you can plug in a YubiKey (or any FIDO2-compliant key) and use it as your second factor. No SMS codes, no authenticator app. Just tap and go.
• Passkey support built into the same flow, so if you’re on a device that stores passkeys (iPhones, recent Androids, password managers), you can use those too.
• The Yubico partnership specifically means OpenAI will offer discounted YubiKeys through some channel — I’m guessing a promo code or direct purchase link in the security settings. Details are light on pricing, but if they can get a 5 NFC for $30ish, that’s a solid deal.

What’s missing? It’s still opt-in. OpenAI isn’t forcing anyone to use this. That’s fine for now, but I’d expect enterprise and ChatGPT Team users to get mandatory enforcement pretty soon. Also, there’s no mention of TOTP backup codes or recovery options in the announcement, which is a glaring oversight if you lose your hardware key.

This is higher than I expected in terms of execution — WebAuthn is the gold standard, and tying it to a hardware key vendor partnership gives people a clear path to upgrade. But let’s not pretend this is revolutionary. Google, Apple, and Microsoft have been doing this for years. OpenAI is catching up, not leading.

Still, catching up is better than staying vulnerable. If you’re using ChatGPT for anything beyond casual conversation, go enable this. Your future self will thank you when your account doesn’t end up in a credential dump.