This matches my case exactly, and @owallesun’s theory fits perfectly. On my account, ChatGPT web and Codex web log in fine, and my MFA (Authenticator) works — the only failure is Codex client authorization (Mac app + CLI), which forces a code to my original registered number (+44 …, permanently deactivated by the carrier) instead of honoring my configured MFA method.
I’ve already updated to the latest Codex app + CLI per the macOS signing-rotation email; no change. So if recent client auth is falling back to the original registered phone number rather than the MFA method on file, that would explain why passkeys/Authenticator are ignored and only the dead SMS/WhatsApp number is accepted. Could the engineering team check whether Codex client auth is incorrectly verifying the original registered number instead of the user’s configured MFA method? Case 09491223.