Wow, it both surprises me but also makes me feel justified in that I keep telling people to make backups of things they care about including something like a Spotify account (if your song lists are dear to them, at least the titles and other metadata that they could rebuild from) and other "cloud" or SaaS services. Anything one cares about, back it up! (Not to you but as a PSA)

Still, it's weird that Google doesn't accept a recovery code. Then again, I had a similar issue where I had nothing set up but a recovery email address and password (back when 2FA was rare), and after confirming both, Google said "well, we still think it's suspicious, why don't you use a device where you're already logged in" (my account had no active sessions that I knew of, besides that I was traveling). Luckily I didn't need it for anything as I had my email moved away already at that time. I still can't access that account today and I switched to throwaway accounts for things like youtube comments or app downloads from the play store (need to download that government authentication software somehow...)

Did Google specifically reject the recovery code as invalid, or did it accept all entries and then their algorithm rejected the login outright?

It accepted the backup code and my correct password and then wanted to verify more stuff, which there was nothing, and just said "Sorry, we can't give you access to your account right now".

Ah, yes okay that sounds precisely like my situation as well. Not so much the backup codes not working as Google's auth gatekeeper being moody, the last thing you want from a login system

I understand how it plays out, but these are backup codes that I put into a backup strategy for serious life events and both times I needed them they failed to accomplish what they are for =(

Had I followed Googles own advice and relied entirely on these codes (which I thought I was doing) I would still be locked out of all those accounts, purchase history, Google Play Developer, etc.

In general, instead of saving these codes you want to save the HOTP seed in order to set up 2fa again. I don't even bother with recovery codes.

I also had old Google backup codes fail a few years ago. Anybody who hasn't regenerated them in a year or two, I recommend you do so.

Well, this is disturbing news.

I have (had?) a Google account tied to my email (which is on a domain I own). Not sure if I ever gave them my phone number, initially. Tried to login a few years back, correct password, but they insisted on me entering my phone. Finally I did - and they can't let me in because my "provider is not supported" and they can't send an SMS with the code, so I'm locked out. Tried every few months since then, no go. Fortunately I didn't lose much (except some family photos), but it is annoying as hell. I wouldn't trust Google with anything important. And yes, I tried with an brand new number on a new phone, unrelated provider. No dice. According to reddit I'm far from alone in this. So if you rely on a Google account for anything... Well, good luck!

Google services are best treated as a liability.

Make Google Takeouts a part of your backup routine.

Long-term access recovery typically requires rituals like annual check-ins, media rotation, and human drills. We already do this with annual fire-drills.

My password manager has, *checks*, precisely 900 entries. Say that I care about maybe ten percent, that's still doing a "drill" on every single weekend day of the year

Security aspects of software should just work properly. Google should test this and, imo, people should make backups of data they care about. Google might ban you for any reason, no matter if the recovery drill worked 2 hours ago it might not work anymore now. Seems like a fool's errand to keep chasing it instead of making routine (or automated) backups of data when you update it

my stomach turned into a knot just reading your story. I know that feel of waking up surrounded by nurses not knowing what happened. I'm so glad you had proper backups!!!!!!!!!!

this exact story is why i built my app, thank you so much for sharing.

my hope is to basically make a next version of your plan that's distributed among friends.