I remember Google not letting me log in with my TOTP code when it insisted on me clicking a prompt I hadn't received. Only after two timeouts did it add the option to use a TOTP code. If I recall correctly, I had to let the thing fail and then click "let me try another way" or something similar. This leads me to believe that maybe Google hides certain options by default.
However, I also think that Google keeps track of a "security rating" for your session; when I don't log in for a while, Google asks me for my password but when I use that same session token on another physical address I also need to authenticate with 2FA.
This may imply that failed login attempts may flag your session as even worse than before. I have no idea if this is actually how it works or if this is purely coincidental, but it may be worth keeping in mind given that you have limited backup codes available to you.
My recommendation would be to first get a Google Takeout backup stored somewhere safe, then see if you can get another 2FA method that you have control over connected to your account.
Yep it absolutely ratchets up "suspicion" on your account, and failed attempts will quickly get your account in some sort of state where you're locked out. It's absolutely maddening.
Definitely - and I think now that I've gone to that 2FA page and let it time out (since I only have backup codes), I think it's racheted up suspicion higher as these login attempts count as "an attacker has the password but not the 2FA code!"
Definitely. I did that a few weeks ago and got an email from Google to my gmail saying something along the lines of "somebody has your password and is trying to log in!" even though it was just me on a different computer and after submitting password I realized I didn't have my phone on me so couldn't submit the 2FA. It was even a computer on the same LAN (with same WAN IP), so not like I had an active session in the US while the attempt came from Moscow...
However, I also think that Google keeps track of a "security rating" for your session; when I don't log in for a while, Google asks me for my password but when I use that same session token on another physical address I also need to authenticate with 2FA.
This may imply that failed login attempts may flag your session as even worse than before. I have no idea if this is actually how it works or if this is purely coincidental, but it may be worth keeping in mind given that you have limited backup codes available to you.
My recommendation would be to first get a Google Takeout backup stored somewhere safe, then see if you can get another 2FA method that you have control over connected to your account.