ChatGPT is finally making your account more secure

ChatGPT logo
(Image credit: ilgmyzin/Unsplash)

OpenAI has added a long-awaited feature to ChatGPT that it says can boost your account security.

In a blog post, the company announced multi-factor authentication is now available for users to secure their account. It can be enabled in the settings of the ChatGPT web page (accessed by clicking your account name in the bottom-left corner) or in the OpenAI Developer platform.

To set it up, you will need to have an authenticator app installed on a mobile device. You will then have to scan a QR code to add the Time-based One-Time Passwords (TOTP) to your authenticator. You'll be required to enter these ever-changing 6-digit codes every time you log into your ChatGPT account with your username and password.


You'll also be given a recovery code when setting up MFA, which you will need to keep safe. This is in case you lose your device or are unable to use your TOTP codes for whatever reason. You can also recover your account via a code sent to your email address.

Once you have set up MFA, you cannot change the app you use for authentication, without disabling and reenabling MFA in the settings first. So far, it seems that you can only use authenticator apps for MFA in standard ChatGPT accounts - there is no option to use TOTPs sent via SMS instead, or to use security keys.

Using an authenticator app rather than an SMS code is considered safer, as phone messages can be intercepted by cybercriminals via SIM swapping scams, which effectively clone a victim's phone number.

Using MFA or two-factor authentication (2FA) for every digital account you have is recommended by cybersecurity experts. It means that even if hackers manage to crack your password for a certain account, they still won't be able to gain access without also having the TOTP generated by your authenticator.

However, MFA isn't completely bulletproof. There have been reports of hackers hijacking account sessions that have already been validated by users with their authenticator codes, meaning they don't need to know the codes at all to gain access.

MFA is also vulnerable to fatigue attacks, where users are bombarded with prompts to verify a login attempt via push notifications, and relent to accepting them just to make them stop.


Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.