[FEATURE] Require MFA, passkey, or other auth on gifit purchases to curb fraud

Resolved 💬 2 comments Opened Apr 17, 2026 by abedolinger Closed Apr 20, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

There's a common exploit (probably session hijacking) that bad actors are using to gift themselves subscriptions from compromised accounts. See:

I believe these are sold on gray market sites like the below:

https://www.g2g.com/categories/claude-ai-activation-links

Proposed Solution

If this is a session hijack, it could be mitigated by requiring MFA or a passkey to purchase. This would be a low-friction way to greatly improve security during checkout.

It seems that Anthropic support is overwhelmed at the moment. This would likely stem a good amount of volume from individual customers.

Alternative Solutions

  • A link could be sent to the user's email that would confirm a gift purchase
  • Common sense rate limits on gifting (see the first Reddit link) could prevent some of the worst offenses on its own

There are many tried-and-tested ways to ensure identity at the point of purchase; I just ask that one of them be implemented.

Priority

High - Significant impact on productivity

Feature Category

Other

Use Case Example

  1. Someone gains access to my session cookie, but not my phone
  2. They attempt to gift themselves 1 month of Max
  3. Anthropic sends a 6-digit confirmation code to my phone
  4. Instead of being charged and having to deal with bank fraud, I log out of all my sessions and go on with my day

Additional Context

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗