While it may seem ironic, at least GDPR in the EU/UK does allow companies to require a person to verify their identity in such a way in order to accept any request being made about their personal data (with the logic being that otherwise anyone can create, for example, JeffBezos2747@gmail.com and send fake GDPR requests for his personal data).
Yes absolutely agree, but in some cases, like this one, it's more a symptom of the way OpenAI was not permitted by way of terms and service to grab my data.
Facebook for example know it's you because you signed up to the account.
