Google apps lets you generate a series of one-time use codes, which you can print out and keep in a safe/folder/notebook, so that if your 2-factor-auth device (phone, fob, etc) gets nuked, you can still log in.
I find it interesting that he could log in without 2-factor auth. Those things I thought were keyed to phone hardware.
Many 2fa implementations offer SMS (which would be compromised given a social engineering cell redirect) as an alternative to TOTP. (What's commonly referred to as "Google Authenticator" - it's time-based, so if you capture the initial image or code, you can actually set it up on multiple devices, so it's not exactly device-based)
This is a reason to not verify over SMS and to instead use the Google Authenticator app. It seems easier to socially engineer a SMS redirect than to obtain the mobile device and bypass its login authentication.
If you are going to verify over SMS, don't have your SMS messages forwarded to email as that would render your 2fa pointless.