I shall use a real situation that happened to me, but this is just to demonstrate my point. I am definitely not going to do anything about it. This is a purely theoretical question, I am not interested in legal advice.
I made a GDPR Subject Access Request (SAR) of a data controller. To provide them with the data to identify myself they required me to use a web portal. This looked rather like a webmail interface, but only allowed communication to the data controller. To use this portal I had to create an account, which required accepting a conventionally long Terms and Conditions agreement. This was justified on security grounds. It is worth noting that I included a PGP public key with my initial SAR that would have allowed secure communication over email.
Can a data controller require the data subject to accept terms and conditions to identify themselves? Can a data subject require the data controller to accept terms and conditions to fulfil an SAR? Does the answer to the latter question depend on if the data controller has already made such a request?