I use 2 step verification to sign into my gmail account. I wanted to tested the password recovery option to see if it would protect me. However, when I went to reset my password all that it did was send a password to my alternate email address and I simply clicked the link in the email and typed in a new password without having to receive a text message to verify. So if I ever had a keylogger installed, all they would need to do is hack my alternate email. This is a huge flaw, unless I'm missing something?

edit: to test it again, I erased my alternate email from my account and tried to reset again. All I was asked was for an email address to have them contact me and it asked me what my old password was and I typed in random numbers and letters and they still sent me a recovery link to the email I provided.

That sucks, you should let them know (I think they have a forums for stuff like that)

Let's say someone was able to create a new password for you, as you describe above. Wouldn't this be insufficient to gain access to your account, since there is a second step of verification, the pass code?

Were you resetting your password on a device that you set up as "trusted?"

This could explain why there was no second-step of verification.

That could possibly have been it, because when I clicked the reset link all it required was for me to enter a new password to gain access. Anyway, I ended up just making my alternate email address a gmail account with 2 step verification, so now both of the emails require 2 step to gain access.

Did you check using other methods to overcome this problem? Like giving your DOB, secret answer etc.?