Thing is, history has shown that nothing is reliably enough for Google, once it flags you suspicious. You've entered password and totp code? Nah, you're still suspicious. Gave one time backup-code? Hah, still suspicious. Have a hardware key? Nice, but you know you are really suspicious. How else can you prove that it's you?!