Just a heads up, but the last time I checked, Authy did not have secure defaults for 2FA.
Authy supports two standards -- the Google Authenticator method, and their own internal standard. Any tokens that go through their internal standard can be recovered on a new phone using just SMS verification, which defeats the entire point.
Your encryption password only applies to Google Authenticator tokens.
Calling them up one time the person on the phone seemed to be able to 'see' my Cloudflare TOTP code (back when cloudflare had beef with Google about their CEO account getting hacked) but wasn't able to 'see' what my manually added Google Authenticator codes were.
So I'm not even sure if Authy's own stuff is secure at all, perhaps someone from there will jump in.
But using the Google Authenticator way it's a decent option. Just be sure to treat your backup key as a critical component that needs to be stored securely.
Authy supports two standards -- the Google Authenticator method, and their own internal standard. Any tokens that go through their internal standard can be recovered on a new phone using just SMS verification, which defeats the entire point.
Your encryption password only applies to Google Authenticator tokens.
https://twitter.com/DanielShumway/status/1092095395478556674