I might be wrong, tried long ago, but maybe it is that even if you don't list SMS as your backup code delivery option, clicking forgot password (need only your username), and then going to Other Options, and choosing to gey identified by providing a phone number (Google shows type your number * * * * * * -1234), hijacking its SMS, can provide access to your account.