ChatGPT is finally making your account more secure

News
By Lewis Maddison
published

Multi-factor authentication can now be enabled on ChatGPT

ChatGPT logo
(Image credit: ilgmyzin/Unsplash)

OpenAI has added a long-awaited feature to ChatGPT that it says can boost your account security.

In a blog post, the company announced multi-factor authentication is now available for users to secure their account. It can be enabled in the settings of the ChatGPT web page (accessed by clicking your account name in the bottom-left corner) or in the OpenAI Developer platform.

To set it up, you will need to have an authenticator app installed on a mobile device. You will then have to scan a QR code to add the Time-based One-Time Passwords (TOTP) to your authenticator. You'll be required to enter these ever-changing 6-digit codes every time you log into your ChatGPT account with your username and password.

MFA GPT

You'll also be given a recovery code when setting up MFA, which you will need to keep safe. This is in case you lose your device or are unable to use your TOTP codes for whatever reason. You can also recover your account via a code sent to your email address.

Once you have set up MFA, you cannot change the app you use for authentication, without disabling and reenabling MFA in the settings first. So far, it seems that you can only use authenticator apps for MFA in standard ChatGPT accounts - there is no option to use TOTPs sent via SMS instead, or to use security keys.

Using an authenticator app rather than an SMS code is considered safer, as phone messages can be intercepted by cybercriminals via SIM swapping scams, which effectively clone a victim's phone number.

Using MFA or two-factor authentication (2FA) for every digital account you have is recommended by cybersecurity experts. It means that even if hackers manage to crack your password for a certain account, they still won't be able to gain access without also having the TOTP generated by your authenticator.

However, MFA isn't completely bulletproof. There have been reports of hackers hijacking account sessions that have already been validated by users with their authenticator codes, meaning they don't need to know the codes at all to gain access.

MFA is also vulnerable to fatigue attacks, where users are bombarded with prompts to verify a login attempt via push notifications, and relent to accepting them just to make them stop.

MORE FROM TECHRADAR PRO

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks.  His area of expertise lies in computer peripherals and audio hardware, including speakers and headphones, having spent over a decade exploring the murky depths of audio production and PC building. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.