"I stupidly fell for a phishing attack on my Google account"
it happens, lad, it happens.
IT systems should never expect users to be infallible. quite the opposite. user's lose keys, forget birth dates, run out of phone battery, get pick pocketed. any security process needs to compensate for the every day personal misfortunes and mistakes. that means key revocation processes, priority lines for reporting losses, alternative ways of accessing services, 'lite' services that can be offered where the full-fat version would require a higher level of clearance. etc.
people arent computers. we should stop building processes that behave as if they are.