> an authenticator code is NOT a 2nd factor, if that user is using Google Authenticator.

it is still a second factor, because it is something you have instead of something you know; it's just that you converted it to something you know when you read it and transmitted it to someone else

all that being said, yeah, legal@google.com (as a homograph attack) should probably be blocked.