OpenAI Introduces Advanced Account Security

OpenAI has introduced new security protections for ChatGPT accounts called Advanced Account Security, to protect users against account takeover.

You can enable the protections now.

The new mode requires passkeys or hardware security keys in order to log in to your account. Both of these use the open FIDO2 standard developed by the FIDO alliance.

These are more secure sign in methods than passwords based on public/private key cryptography, similar to the type TLS uses.

Password login is disabled, preventing someone who obtains your password from bypassing the security protections of your FIDO2 login. This is important; many services allow you to add passkeys or hardware keys but still let you log in with just your password, severely limiting the security increase the FIDO credentials can provide.

Account recovery, another target of account takeover, also sees a big security improvement. Email and SMS account recovery are disabled, since a compromised email account or SIM card could lead to your account being hacked.

SIM swap attacks are a very real threat and hinging your account security on unencrypted SMS that can be rerouted without your knowledge was always a terrible idea, and OpenAI is acknowledging that here.

Ditto for email: the recovery emails sent to your inbox are always unencrypted, and the security of almost all of your accounts hinges on the security of your email account.

Instead of these, you will need to utilize a great feature of passkeys and hardware keys: you can add multiple of each.

Your recovery with this new feature will be 100% up to you, so make sure you store away at least one other passkey or hardware key in a safe place. OpenAI says they won’t be able to recover your account if you are enrolled in Advanced Account Security.

Social engineering attacks on support workers are a common vector for attackers to gain control over your account, so putting the onus in the hands of their users is a good call.

Another common attack vector is session hijacking, where an attackers steals your sessions tokens stored on your machine after you have already logged in, essentially bypassing the need to exploit your log in credentials at all.

To combat this, OpenAI is reducing the length that sessions are valid for users enrolled in this setting and will give you an easy way to review active sessions across all devices your logged in on, as well as alerts when a new login.

In a win for privacy, your conversations will not be used for model training with this setting on. Arguably this should just be the default, but it’s good to have nonetheless.

OpenAI also partnered with Yubico to provide better prices on Yubikeys to ChatGPT users via a bundle.

OpenAI promises more security and privacy improvements to come in the future, although they’re scant on details. They promised some kind of “client-side encryption” for ChatGPT that has yet to materialize.