I actually find Google to be quite good here - if it detects something suspicious, such as login from a different browser or location, it will prompt you for another authentication factor, such as an SMS one-time code, or 2FA if you have it enabled.
I would add that if you haven't already enabled 2FA, you should.
I would add that if you haven't already enabled 2FA, you should.