Note that it sends a code to your phone which is logged into your Google account, via a (presumably/allegedly, but at least it's not SMS) secure channel.
(Actually, it doesn't send a code to your phone. It either sends a prompt to your phone, OR you can open a buried menu in some app to GET a - essentially TOTP - code.)
Oh no, if I cycle enough through Other Ways or I don't have my phone (while having my phone number connected with Google Account), it offers me to confirm my phone number with showing number as *** & last 4 digits.
When I confirm the phone number, it sends a 6 digit SMS code prefixed with G-, like G-123456 The input box on page has already a read only G- text, & then a box for 6 digit code. After I confirm code from SMS, it gives the option to reset password.
Most of the forgot password ways to reset password is Tap on other Device prompt OR get a code from Google App.
Sample Google SMS to reset code with fictional number.
```G-007007 is your Google verification code.```
After I removed the phone number, now if i click Other Ways enough times, it simply says, give us the information about last time logged, creation date, some address I email frequently, & some other stuff, & sats it will take few days for them to get back to me.
Oh yeah, I also agree n believe that's the reason. Although having a key active does not mean the super secure government level threat protection, if one activates that threat from state protection, many of the account recovery options become unavailable.
I assume the number of account recovery options diminish with increasing levels of protection.
I have a security key active but it still offers to send me an SMS code for some reason (worryingly, to a phone number I no longer have... should probably get on to changing that)
(Actually, it doesn't send a code to your phone. It either sends a prompt to your phone, OR you can open a buried menu in some app to GET a - essentially TOTP - code.)