To avoid such things, I have a notebook in my drawer in which I have all the passwords to all my online accounts written down. If I change a password, I update the entry. If I create any sort of online account, it gets added to the diary. I figured if someone bothered enough to physically steal my diary from my drawer, I'd have bigger problems to worry about than my YouTube credentials.
I'm currently locked out of a Gmail account I have the password for but Google decided that isn't enough; it doesn't like my IP address and wants me to verify against a phone number I no longer have.
> wants me to verify against a phone number I no longer have.
I had the same. There's a good chance someone else has that number now - add them on WhatsApp/Facebook Messenger/etc by phone number, Google their number and try to find them, or call them.
In my case, I was able to recover the account by communicating with the new owner, and him quickly sending me the 2FA code he got from Google when I tried to log in.
That's why it's so insane to consider it a safe 2FA source.
6 months. That's all it takes between the last time a user successfully used a phone number, and a new user getting assigned the same number with prepaid SIMs in Germany.
...And the IP you used to sign up... and the city for that IP in the geolocation database at that specific date... and the exact User Agent string... and the time zones... and...
Or maybe they should stop being idiots and allow people with strong passwords to... just use passwords to authenticate.
Maybe some type of "I know what I am doing, kindly fuck off Google" option.