[aleph_naught]

Go to: https://myaccount.google.com/signinoptions/two-step-verifica...

And remove SMS from the listing. I currently have 3 2FA mechanisms listed: Security-Key/Yubikey (default), Authenticator App (set on two devices), and Backup codes which I downloaded (and at some point will print and place in a safe deposit box).

Losing access to my two gmail accounts would be a complete nightmare---more so than my bank/brokerage accounts. Some brokerages like TD Ameritrade do not even offer 2FA. In my case, paranoia mode for email accounts is completely warranted.

I really wish U2F becomes the standard across all web services. It seems insane that, in some scenarios, the only barrier against financial ruin is the gullibility of your cell-phone provider's customer service rep.

[davchana]

I might be wrong, tried long ago, but maybe it is that even if you don't list SMS as your backup code delivery option, clicking forgot password (need only your username), and then going to Other Options, and choosing to gey identified by providing a phone number (Google shows type your number * * * * * * -1234), hijacking its SMS, can provide access to your account.