On April 30, 2026, OpenAI announced Advanced Account Security — an opt-in setting that disables password login for ChatGPT, mandates passkeys or FIDO2 hardware keys, shortens session lifetimes, removes email and SMS recovery, and excludes the account's conversations from model training automatically. In one sentence the headlines mostly missed, OpenAI also said that members of Trusted Access for Cyber — the gated programme that hands out the most permissive cyber-capable variant of GPT-5.5 — will be required to enable the new setting starting June 1. Everyone in scope has thirty days to plug in a hardware token.

This is the structural sequel to two stories the Loop ran last week. On May 1 we covered Trusted Access for Cyber — OpenAI's KYC-vetted distribution channel for the cyber-tuned model. On May 4 we covered AISI's evaluation of GPT-5.5, which contained the awkward footnote that the institute could not verify the patched safeguard stack before the model shipped. Read together, those two stories said: gated access works only as long as the safety stack inside the model holds. Today's story is OpenAI admitting on paper that it can't lean entirely on the inner stack, and bolting on a hardware perimeter.

The frame to hold while reading the rest of this is: the access-control architecture is layering up. The model card is no longer the only model card. The model card is now also a hardware token plugged into the right person's USB-C port.

What the setting actually does

The feature list, confirmed across Help Net Security and SecurityWeek, reads like a checklist someone built after reading every account-takeover post-mortem of the past five years.

• Password login is disabled. Sign-in is FIDO2/WebAuthn — passkeys or hardware keys, nothing else.
• Email and SMS recovery are removed. Recovery flows through backup passkeys, registered hardware keys, and recovery codes the user keeps. OpenAI Support cannot help.
• Sign-in sessions are shortened. The exact value is not published; the framing is "limit exposure if a device or active session is compromised."
• Login alerts surface new sessions. Active sessions can be reviewed and terminated.
• Conversations from accounts with the setting on are excluded from model training automatically.

The trade-off is the line OpenAI puts in bold. TechCrunch's write-up puts it directly: "If the key is lost, OpenAI won't be able to help recover access. In practice, that means conversations could be lost for good." That is a sentence that costs the user their entire ChatGPT history. It is also the price of a recovery flow that no support agent can be social-engineered into running.

The Privacy Guides post picks up the right detail on the training-exclusion line: "In a win for privacy, your conversations will not be used for model training with this setting on. Arguably this should just be the default, but it's good to have nonetheless." Translation: opting out of training is bundled into the high-security tier instead of being available on its own. A reasonable person could read that as thoughtful packaging or as a small extortion.

The Yubico partnership

The hardware tier ships with a vendor. OpenAI has co-branded a bundle with Yubico — the YubiKey C Nano (a low-profile USB-C key meant to live in the laptop) and the YubiKey C NFC (a backup with a tap interface for phones). Multiple outlets describe the pricing only as "preferred" or "a special price"; OpenAI has not published a public dollar figure. There is a $68 number circulating in roundup pieces, but no primary source we could read attaches it to OpenAI's own page. We will leave it out.

Both companies stayed close to script. OpenAI's CISO framed security keys as one of the strongest defences against phishing and noted that YubiKeys are now the standard for OpenAI employees. Yubico's communications framed the partnership as a global push to cut unauthorized-access risk on ChatGPT accounts. There is no daylight between the two press lines, which is what you would expect from a partnership that took months to negotiate.

The interesting question is who actually pays for the keys when OpenAI requires them. For the Trusted Access for Cyber population — banks, security vendors, enterprise customers vetted into the cyber tier — the answer is the employer. For the population OpenAI explicitly named — "journalists, elected officials, political dissidents, researchers" — the answer is the user. The discount is real; the ask is real too. A dissident now needs two hardware keys to keep using the model, and OpenAI's threat model has decided that is the right level of friction.

The Trusted Access mandate

The June 1 deadline is the load-bearing line. From Help Net Security's reading: "Individual members of Trusted Access for Cyber accessing OpenAI's most cyber capable and permissive models will be required to enable Advanced Account Security beginning June 1, 2026." Winbuzzer's report adds that organisations already running phishing-resistant SSO can opt out at the org level — a carve-out only one of the outlets we read flagged, so treat it as plausible-but-single-sourced until OpenAI confirms it on the help page. If it holds, it is also the thing that lets enterprise customers keep using the cyber tier without rolling out hardware keys to every analyst by Memorial Day.

What the mandate does, read against the May 4 AISI report, is admit a problem in writing. AISI found a universal jailbreak in six hours. OpenAI patched it. AISI could not verify the patch. The model went out the door. If the safeguard stack inside the model isn't audit-ready, the next cheapest place to put assurance is the authentication tier outside it. Hardware-key-plus-shorter-sessions does not fix a jailbreak. It does fix the case where a stolen ChatGPT credential — lifted from a journalist's reused password, say — gets routed at the cyber tier. The new perimeter assumes the model can be talked into bad things and reduces the population of people doing the talking.

That is a more honest threat model than the May 1 framing. It is also a slightly different deal than the one Trusted Access for Cyber members signed up for three weeks ago.

What this changes

Two things shift this week.

The first is that the cost of the cyber tier is now partly borne by users. A vetted bank already had hardware keys. A vetted independent researcher might not. The June 1 mandate converts a "we trust this organisation" model into a "we trust this organisation and its identity stack." That is a more defensible architecture and a more expensive one to be on the receiving end of. Some Trusted Access members will churn at the deadline rather than provision keys. OpenAI knows that. The churn is the point — the population using the cyber tier should be smaller and more verified after June 1, not larger.

The second is that the precedent is now sitting on the table. If OpenAI can require hardware-bound auth for its highest-capability tier, Anthropic can do it for any future Glasswing expansion. Google can do it the day Gemini ships an equivalent. The trip-wire architecture the Loop wrote about last week — the rule that you do not ship past a certain AISI score without restraint — now has a second clause: any restraint that does ship comes with a hardware-key tax. The deal is changing in real time, and the labs are moving toward an equilibrium where the most dangerous models are accessed through a tier that looks more like a corporate security desk than a checkout flow.

What to watch

1. How many Trusted Access for Cyber members exit at June 1. The SSO carve-out, if it is real, is the relief valve. If a meaningful fraction of the current cohort cannot meet the bar — smaller security shops and independent researchers most of all — the cohort shrinks. OpenAI does not have to publish the number. The indirect signal will be the next AISI evaluation: a smaller user base means fewer red-teaming hours per month against the safeguard stack.
2. Whether Anthropic adopts the same architecture for Glasswing. The May 1 piece argued the two labs had converged on Trusted Access as the gating standard. Hardware-key-plus-Trusted-Access is a new floor, and the question is whether Anthropic mirrors it before the next cyber model lands or after. Watch the Glasswing partner page for an update to authentication requirements.
3. The third lab. AISI's "broader trend" line is a bet that DeepMind, Meta, or DeepSeek will hit the cyber threshold this year. If they ship without the hardware-key tier, the gating cartel breaks at the perimeter, not the model. If they ship with it, FIDO2 hardware tokens become the access pattern for a generation of frontier capabilities. That is the version where Yubico's earnings call needs no irony budget.

The frame the security press reached for this week was "OpenAI improves account security." That is too flat. The story is that the access-control architecture for the most capable cyber model on the market just acquired a hardware perimeter, and the labs that want to keep arguing their gating story now have to argue it with a phishing-resistant token attached. The model card is no longer the only document a customer signs. The other one is a USB-C dongle.