Just unblocked a Google account without submitting a telephone number.
I hate heuristics.
Interesting observation: a unit test just failed logging in two test accounts. In both cases, a weblogin was required, trying to coerce me into entering a phone number (it should be illegal to use telephonenumbers for 2FA!!!), stating that I was logging in from an unknown device and Google wanted to make sure it’s really me (I still don’t understand the logic there. If I had stolen that account and entered a phone number, how would that have proven that I’m the legitimate owner?!).
For one of the two accounts, I had a Raccoon profile lying around with a still valid auth token and GSF ID. After browsing the Playstore for a bit with it, Google seemed to be convinced that it was me and allowed me to log in again. The other account kept getting the “weglogin required” error.
As far as I can tell, both accounts have been using the same hardware profile the whole time (so this was not about me using a strange and never seen before device). The only thing that might have changed was my IP address (I had some ISP troubles lately, so it might be that my DSL line got assigned to a different subnet).
I’m pretty sure, Google’s Playstore team is not allowed to directly mess around with the account database, beyond using the OAUTH2 interface. So this probably means, by virtue of the still valid auth token, I could access FDFE (aka Playstore Rest API). (F)DFE requires a GSF ID for pretty much everything and passes it through to something that can measure activity and tell the account manager to chill.