You need a second factor. That is either your 2FA device, a backup 2fa, backup codes, an authenticated and still valid login session etc.

If you are security paranoid you can lockout insecure 2fa methods, never validate your device and sign up for their Advanced Protection Program.

Note however, google is VERY clear -> if you lock yourself out it is game over. They do not allow humans to override the lockouts -> period. This is obviously good for security. All the folks here complaining about this supposed 2FA issue while asking for human support to allow login override / resets really have no clue about the GIANT security hole that opens.

Witness all the sim card hijacking done through phone co's (that do allow human involvement).

Google is CRYSTAL clear.

Q: Create a replacement Google Account

A: If you still can't get into your account, create a new one.

Q: Why can't I get into my old account?

A: We couldn't be sure that you're the owner. To keep accounts safe, we can't give access to them if we can't confirm who the owner is.

They've closed the big hole (human override / corruption / bribes / social engineering). And have made it so that you have only a bit of extra risk to stay in your account. Don't like that? Don't authenticate your devices as trusted.

I think that mission is pretty well accomplished, right? I mean it is basically a meme at this point that Google has declined to spend the money that would be required to offer high quality interactive support for unpaid consumer accounts. Apparently people value their services more than they are concerned about the risk of needing support.

So, within that framework, the important question for both the consumer and for the service provider is what the best security trade-off is to accomplish their various goals. I think there's a pretty compelling argument made in this thread that the current stance is more optimal that requiring reauthentication for the vast majority of stakeholders.