You're on the right path! Alas, I am a heretic and think recovery codes under my approach may cause more problems than they solve. [1]

Caution may be justified when it comes to doing this for something with as wide a surface area as a Google account. For me, if I'm going to have to compromise on 2FA somewhere anyway, I might as well go full hog and get an honest to goodness keyfile.

[1]: https://andrew-quinn.me/digital-resiliency-2025/#wait-what-a...