Google said "We detected unusual activity on your account" so they wanted to verify me. To do that, I re-entered my login and password, and it wanted to send me a verification code on my mobile.
So far, sensible. Now comes the crazy part.
It wanted me to give it the mobile number to send the verification code to.
That's barmy. If I were a naughty person trying to gain access to the drsolly blog, and assuming that the username and password is already compromised (because if it isn't, then that's enough for verification) then a naughty person would give their own mobile number. Obviuosly. And so the verification isn't a verification at all. This is fake security.
Or else it's a sneaky way for Google to find out my mobile number.
Either way, it's bad. Very bad.