Codex CLI login forces SMS phone OTP step-up on a security-key-only (Advanced Account Security) account; browser login honors AAS

[Jesssullivan]

What happens

On a fresh codex login (stock CLI, no wrappers or automation), the CLI opens the standard OpenAI browser OAuth flow. Primary authentication with my FIDO2/CTAP2 hardware security key succeeds, and the flow then redirects to https://auth.openai.com/phone-otp/select-channel and presents a "Verify your phone number" SMS/WhatsApp one-time-code dialog. That step-up cannot be satisfied with my enrolled hardware keys, so sign-in is blocked.

Crucially, normal browser sign-in to ChatGPT and to platform.openai.com on the same account — with the same security keys — resolves correctly and never prompts for a phone. Only the codex login CLI OAuth path forces the SMS step-up. This looks like a cross-surface authenticator-policy gap: the web sign-in enforces the account's policy; the Codex CLI path falls back to an SMS channel the policy is documented to disable.

Account configuration

• OpenAI Advanced Account Security enabled
• Two FIDO2/CTAP2 hardware security keys enrolled
• No phone-based authentication factor configured
• Per OpenAI's docs, Advanced Account Security disables SMS sign-in codes and SMS account recovery (help.openai.com/en/articles/20001221), relying on passkeys/security keys.

Expected behavior

On an Advanced Account Security / security-key-only account with no phone factor, step-up verification should use an enrolled factor (security key / passkey) — not an SMS/WhatsApp OTP that AAS is documented to disable.

Actual behavior

auth.openai.com/phone-otp/select-channel offers only SMS/WhatsApp OTP to a phone number that is not a currently-configured factor on the account. With AAS + security keys and no phone factor, there is no way to complete the step-up, so Codex sign-in is unusable — while browser sign-in on the same account works.

Steps to reproduce

1. An account with Advanced Account Security + FIDO2 security keys and no phone factor.
2. codex login (stock, macOS) → local callback server on http://localhost:1455 → genuine OpenAI OAuth at https://auth.openai.com/oauth/authorize (PKCE S256, scope openid profile email offline_access api.connectors.read api.connectors.invoke).
3. Complete primary auth with the hardware security key.
4. Flow redirects to auth.openai.com/phone-otp/select-channel demanding SMS/WhatsApp OTP → blocked.

Environment

• Codex CLI (stock), macOS, June 2026.
• Reproduced with raw codex login — no wrappers, proxies, or automation.

Impact

Users who deliberately hardened their account with Advanced Account Security + security keys (and intentionally have no phone factor) can be fully locked out of Codex by an SMS step-up they cannot complete, even though their browser sign-in on the same account succeeds.

Possibly related

#20161, #20320, #21189, and discussion #20868 — but those don't isolate the Advanced Account Security cross-surface angle (web honors AAS; the CLI path forces SMS).

Note

Account-specific details and the affected phone number have been reported to OpenAI privately and are intentionally omitted here.

[github-actions]

Potential duplicates detected. Please review them and close your issue if it is a duplicate.

• Authentication for Codex has literally broken #25670
• Codex ChatGPT login flow #24990

Powered by Codex Action

[Jesssullivan]

To be clear, AFAICT this is a serverside and an exploitable bug, not a codex CLI issue. Haven't been able to get through this and figured given codex is the touchpoint for me, perhaps others have encountered this and can get the attention the issue needs.

(I am a human, for what its worth).

[fahdfady]

Same here. It is horrible to be honest and i'm not able to access anything.

[LaiZhou]

I am a ChatGPT Plus subscriber.

My ChatGPT account works normally.

I previously used Codex successfully.

After signing in on another device, my Codex authentication was invalidated and I was forced to re-authenticate.

Now every Codex login redirects to the phone verification page.

The phone number previously associated with my account is no longer accessible because it has been retired by the carrier.

I cannot complete the verification process and therefore cannot access Codex.

Could you please help recover access to my Codex account or update the verification method?

Thank you.

[barayuda]

same issue here, always got OTP since OpenAI Advanced Account Security enabled

https://auth.openai.com/api/accounts/phone-otp/send

{
  "error": {
    "message": "You've made too many phone verification requests. Please try again later or contact us through our help center at help.openai.com.",
    "type": "invalid_request_error",
    "param": null,
    "code": "rate_limit_exceeded"
  }
}

[afram123]

Reproduced on Windows + Codex CLI, confirming this exact cross-surface gap.

I enrolled in Advanced Account Security (two passkeys/security keys + authenticator app, SMS MFA off). Browser sign-in to ChatGPT honors the passkeys with no phone prompt — but codex login still redirects to the phone-otp/select-channel SMS/WhatsApp step-up, targeting an old number I no longer have access to. So AAS does not suppress the SMS channel for the Codex OAuth flow, and enrolling in it does not fix the lockout — contrary to what the "disable SMS sign-in codes" description would suggest.

As an EU (Sweden) user I'm also pursuing this as a GDPR Article 16 (rectification) / Article 17 (erasure) request, since the account holds an inaccurate phone number that current policy won't let me correct except by deleting the account.

Related: #25749, #25800.

[Jesssullivan]

@afram123 Thanks for adding this reproduction, this is exactly our observed bug. 🙏 GDPR Articles 16 / 17 req appears to be exactly the appropriate course of action.

-Jess