When you set up 2FA, you were given a bunch of six digit access codes, with the advice to print them out and keep them at a safe place. Those codes will recover your account even if your backup email doesn’t work. You can enter any of those to get your account back. You should immediately change the phone number associated with your phone, because each of those codes can only be used once and account security settings may require a second confirmation code (so if you’ve burned your last backup code you’ll get stuck).

The “up to 24 hours” rarely takes longer than a few minutes in my experience. It’s technically possible for the codes to arrive a day later (or even longer), but I’ve never had to wait more than 5-10 minutes for communication from Google.

If you do get access to your account back, generate new codes and keep them safe in case this happens again!

Also consider not using SMS for 2FA. It’s better than nothing, but criminals often steal phone numbers if they think you have cryptocurrency stored on an account linked to your email address. Things like Passkeys and offline one-time codes (“TOTP”) are a lot safer. Just make sure to store your backup 2FA codes safely!

Too late for OP, but for everyone that can get into their accounts but doesn’t know what the backup codes are, go here, select ‘backup codes’ and then keep them in a safe place.

You didn’t keep your 2fa backup codes like they tell you to do?

We really need some legislation for those cases. Your digital “life” also deserves some rights. You should have some way to legally appeal a permanent ban or other lock-outs. Similar to how a GDRP data request works.