How does this work exactly? #4
Comments
|
Yes, currently that is a limitation to prevent the user to keep checking their otp everytime. And this authentication is per GPT. Thus an email authenticated for one GPT won't be useful for another GPT. We can add an option to always send otp if you want a more secure method of verifying with otp everytime |
I believe this would be a great option. I'd even say it should be the default (or even the only option) because there is very little security at this point if anyone can enter any email without being authenticated. Example Scenario: User X is paying for a service that offers an API with limits or is billed by consumption (pay as you go). A GPT uses that API. User X authenticates and validates that it received the OTP and can use the service. User Y finds out somehow that User X pays for that service and uses User X's email. At this point, User X pays for User Y's API usage because User Y hijacked User X's account by knowing only his email address. |
Hi,
I tried the demo, entered an email address, received a code, and entered it. Then, the GPT told me I was authenticated/verified (as expected).
I then opened another browser and entered the same email, and the GPT told me my email had already been verified without sending me a new code.
Based on that, I'd like to know how the validation is done and how subsequent calls to a REST API would be processed. So far, my understanding is that as long as someone validates an email address, anyone else can use the same email address without having access to it (no code to enter), which is not secure.
Am I missing something? Am I misunderstanding how this works?
Thanks
The text was updated successfully, but these errors were encountered: