It think this is something that Google is working on. By capturing multiple "facts" about you a company can be fairly certain who is trying to access an account, apart from passwords and phones. For example, they can tell if you spend 99.9% of your life in one country and then suddenly request a password reset from another country. I'm sure there are lots of other minor indicators that are much more difficult to fake, but putting them all together they should be able to get a pretty good picture of who you truly are even without proper 2FA.

Probably the only thing you can do is to have a separate secret email or phone only for account recovery, which are not linked to you in any way, or recovery codes printed out and stored in a secure location