Here's one implication: a scammer decides to send a "Your Gmail account is being canceled" phishing email to every address there. It clicks through a to fake but convincing Gmail login page that captures the user's real login info.
I've already had a few friends call for help with this since apparently it's pretty common.
It's not as helpful as you would think. The people who would activate the second step sign in and the people who fall for the phishing scheme don't overlap that much.
I've already had a few friends call for help with this since apparently it's pretty common.