I cannot access the Two Factor authentication page at all - it is when attempting to access that page that I'm forced to log in again and provide a 2FA code.
You might be surprised just how subtly corporations will break accounts that they are suspicious of. There is a whole world of anti-bot measures that come across to humans as just slightly odd behavior or weird bugs. It can be weirdly capricious as well. For example, I recently was having trouble logging into a website and was having to do a ton of SMS re-authentications. When logging into the website using Chrome I was given SMS messages with a 15 minute timeout. When logging in with Firefox the same SMS verification message only had a 5 minute timeout. Several times I would go through the authentication flow and then the service would seem to just crash, loading only a blank page, but I'm pretty sure that was just an anti-bot measure kicking in. I eventually only got it to work normally by switching over to my Phone's hotspot. The website was just hating on my IP address for no disclosed reason.
It's a mistake to believe that every user will uniformly see the same things on the same pages. Google's account abuse system will offer different options to different users based on how suspicious their behavior appears to be.
Which abuse system? I worked there and I wasn't aware of myaccount changing behavior based on how "suspicious" the session is. In fact, I didn't know sessions had such an attribute, assuming this is true. Granted, I didn't work on the account dashboard, but still.
I'd assume it's more likely the behavior really is changing, specifically because in the past, the user's login session was treated as a valid factor alongside the user's password for disabling 2FA, which was criticized as being less secure than expected. However, I'm not sure they intended for the fix to that to not allow backup codes...
