Specifically you need multiple registered keys, to prevent this current situation.

But yeah, this is why I dislike 2FA. There are clear security benefits, but it comes with the extreme downside of "what you know is not sufficient".

When it's e.g. a corporate-controlled account and your IT desk can just reset it to "password123!" to let you back in, it's quite a good trade-off. When it's your main email, i.e. your primary online identity, losing access is kinda a big deal, and Google has famously bad support.

> But yeah, this is why I dislike 2FA. There are clear security benefits, but it comes with the extreme downside of "what you know is not sufficient".

But that's not even the problem here. OP has the "what you have". Just because the secondary authentication device is made of paper doesn't mean it's any less valid. But google is rejecting it and demanding the lost device.

More moving parts means more failures (as demonstrated), and in this case what they have has a (possibly very short, depending on their upcoming needs and how Google decides to re-verify them) time limit until they no longer have it.

So... sorta yes, sorta no. What they have is a ticking time bomb which goes off at the whim of a company that clearly does not care about them. That's not really "an authentication device" that anyone would willingly choose.

I used to do this but it was a hassle to set up. I can't imagine a normal person (less interested in tech) to use this.

How does it work if you have 3 Gmail/Workspace accounts? Do you need multiple keys for each account?

The keys can be used on any number of accounts.

Yes, I lost a key 6 months ago and removed it from my Google account. I have multiple other U2F keys also registered.

Having those extra registered I think is the missing bit. The OP could have also registered additional 2FA methods, but didn’t thinking backup codes were as advertised.