OpenAI Enforces Phone Verification as Bulk Codex Farming Triggers Risk Control

This week, OpenAI prompted some ChatGPT users for phone number verification—not due to compliance pressure, but because free Codex (OpenAI's code-generating Agent tool) quotas were being farmed by bulk registration bots to the point where the platform couldn't tolerate it anymore.

What this is

Since this week, some users logging into ChatGPT or Codex have received a phone verification pop-up. Note that this is selectively triggered, not a mandatory control for everyone. Web chat might work fine, but opening Codex triggers the verification.

We noticed that three types of accounts are most susceptible: those with short registration times and frequently switching IP regions; those registered with disposable emails or Gmail aliases; and those that recently enabled developer features like Codex or API. These behavior patterns highly overlap with bulk bot accounts, causing them to be flagged by the risk control system.

The underlying logic is actually consistent: while OpenAI adds verification hurdles for some users, it is also testing a new "register with just a phone number" scheme in the US and India. The two moves seem contradictory, but the goal is the same—to make each account correspond to a real person. Once a phone number is bound, it is locked and cannot be used to register a new account. This means the repeatedly used numbers on SMS activation platforms (gray-market services providing temporary phone numbers for verification codes) are essentially useless now.

Industry view

From a platform governance perspective, this move is uncontroversial. Free quotas are being drained by tens or hundreds of thousands; banning accounts is endless, so they have to block them at the identity verification level. For SaaS products fighting bulk registration, phone number verification is the most basic measure.

But the risk worth worrying about is collateral damage. Normal users using shared IPs (like corporate networks or VPN nodes) that coincidentally overlap with bulk registration bots will be prompted for verification. There are already numerous complaints in Reddit and Telegram communities. More tricky is that the SMS activation platform ecosystem is collapsing—the veteran platform SMS-Activate shut down late last year, its successor HeroSMS has mixed reviews, and OpenAI verification codes are often not received. Numbers repeatedly used have already been flagged by the system. Gray-area participants are being squeezed out, but normal users caught in the crossfire currently have no clean appeal channel.

Impact on regular people

For enterprise IT: Office networks with shared exit IPs might collectively trigger verification. We recommend self-checking IP risk scores (e.g., ping0.cc, ipdata.co) and switching to dedicated nodes if necessary.

For individual professionals: Free accounts are the most susceptible. In our testing, the most effortless solution is upgrading to Plus—paid users basically never trigger it. If the pop-up still appears, it's highly likely an IP issue rather than an account issue.

For the consumer market: The reliability of SMS activation platforms will only continue to decline, and the window to bypass verification using temporary numbers is closing. The gray-market path to low-cost AI tool experiences is getting narrower; OpenAI is forcing users toward legitimate registration or paid plans.