[emeidi]

I stopped reading here: "While Bob didn’t have multi-factor authentication enabled"

[claudius]

You shouldn’t have. Google trusted the phone too much, using it instead of the user-supplied secrets to determine who was allowed to access the account. Whether or not the account used multi-factor authentication seems quite perfectly irrelevant?