You can get locked out of your Google account if Authenticator is enabled and you lose access to it, even if 2FA phone verification is set up. Make sure to save those backup codes!
TL;DR: I assumed that having a phone number set up as a 2FA method on my Google account would allow me to recover access if needed. However, it turns out that’s not the case if you’ve previously configured Google Authenticator.
Back in 2014, I enabled 2-step verification on a secondary Google account, configuring it with both Google Authenticator and a 2-Step Verification phone number to receive verification codes. Unfortunately, sometime in the past decade, I reset the Android device with the Authenticator app that generated verification codes for this account. While I likely received backup codes when I first set up 2FA, it seems I didn’t save them.
Recently, when logging in with my username and password, I received a 2-step code via SMS to my registered phone number. However, when trying to launch a Virtual Machine on Google Cloud, I was prompted for a verification code from Google Authenticator. Without Authenticator, I had no way to generate a code, and I couldn’t remove Authenticator as a verification option. Every attempt to “try another way” only directed me back to Google Authenticator for verification.
At this point, the account is effectively dead to me, as privileged actions require an Authenticator code and I have no way to generate them. While I recognize that my own inaction contributed to this situation—and I’m fortunate it’s not a primary account I rely upon—it’s still frustrating.
I’m certain I received backup codes when I initially set up 2-Step Verification, and it was my own mistake not to save them. Still, I can’t shake the feeling that I’m completely locked out with no way to recover access, and it’s a bit surprising that having a 2FA phone number isn’t even a fallback option. I suppose the reality is that phone numbers are now considered an insecure verification method. Since I learned that SMS codes can’t replace all use cases for Authenticator codes, make sure you save those backup codes!