I have a Google account that is associated with an email address at my own domain. When I was in the EU in summer 2019 (I'm American), their AI decided it didn't likWrye my new location. It also kindly emailed me, asking me to verify that this "suspicious sign-in attempt" was actually me. Which, of course, required me to sign in. I will leave you to guess whether the token in the url from the email was sufficient proof that it really was me, or whether this sign-in was also flagged, generating a new email, etc.