Seriously though if you are letting agents do whatever they want without a PR process that requires hardware authentication or proof of presence, you are putting your code and your org at high risk.
Does this apply to anyone who verified their ID to get access to the slightly less restricted Codex versions, or only to security professionals who have the almost-entirely unrestricted version?
I was looking at something similar a couple of days ago.
I think a physical key like a yubi key is a great way to fight bot traffic.
And apparently cloudflare already ran project to test this out, and found some small drawbacks.
So they proposed CAP together with other orgs
https://developers.cloudflare.com/fundamentals/reference/cry...
This might be an extreme case of that, but I can see us going in that direction
Interestingly, I had to switch to my unpaid OpenAI account to access it. I suspect this is because my paid account is registered to a custom.com email address.
Cobranded YubiKeys? Weird flex but ok.
Seriously though if you are letting agents do whatever they want without a PR process that requires hardware authentication or proof of presence, you are putting your code and your org at high risk.
I hope that at some point this is not developing to remote attestation when only "permitted" devices can use the models.
Does this apply to anyone who verified their ID to get access to the slightly less restricted Codex versions, or only to security professionals who have the almost-entirely unrestricted version?
I was looking at something similar a couple of days ago. I think a physical key like a yubi key is a great way to fight bot traffic. And apparently cloudflare already ran project to test this out, and found some small drawbacks. So they proposed CAP together with other orgs https://developers.cloudflare.com/fundamentals/reference/cry...
This might be an extreme case of that, but I can see us going in that direction
Dumb question: is using the built in passkey support on my iPhone not considered “hardware-backed”, even though iPhone is using device biometrics?
It’s an advertisement by Yubikey - the hardware key manufacturer
It's a great deal — about 50% off — for those who already wanted a Yubikey.
https://www.yubico.com/store/partner/openai/
Interestingly, I had to switch to my unpaid OpenAI account to access it. I suspect this is because my paid account is registered to a custom.com email address.
I was actually thinking they would have to do this. Having to mail a physical token to a valid address is a extremely powerful access control method.
[flagged]