You have 2 factor on, right, OP?
If not, turn on 2 factor, with an app, not with sms
Good advice.
Personally, after enabling 2FA I also suggest finding a good 2FA app (I think
andOTP is best, Authy is an OK but less great choice), switching the account to that, and then
removing the phone number from the Google account. Phone companies are one of the most easy-to-compromise attack vectors; all it takes is one successful social engineering attempt and the attacker has control of your phone number, and by extension, any associated 2FAs. Bad. News.
Google sucks in that they require you do your initial 2FA setup via the less secure phone-based scheme. Only then do they let you switch to an app. After switching to the app (test it, be sure it works!) you can then remove the phone number from the Google account.
What if your phone's broken or physically stolen? To prepare for that you can both have Google generate a list of one-time-use passwords (guard these closely), and make sure that your 2FA app is making regular, off-device backups of your 2FA secrets (the strings of characters / QR codes you used to setup a given 2FA). As long as you have those secrets backed up somewhere safe you can easily restore them on another device, like a replacement phone.
Authy makes this easiest by integrating cloud-based secrets backup, but when my phone was stolen I actually found Authy's restore process a little
too convenient. As in, potentially exploitable by a smart attacker. That's one reason I prefer andOTP. My suggestion is to enable regular andOTP secret backups and then use something like
SyncThing (amazing software) to send the backup file somewhere safe.
This may sound like a lot. But it's easily manageable once you get started.
