Because Authy is SMS-based it's subject to phone number hijacking. If someone manages to convince your mobile carrier to enable your number on their SIM then you just lost all your 2FA protection. There are also ways to hack the SMS system so that you don't even need to have your phone number ported to fall victim.
SS7 which is used to route calls, sms, can be spoofed. Any person with access to a cell tower (hop over a fence, break the padlock, plug your laptop in) or access to the Telecom backbone (hack a Telecom provider, buy a link). Can hijcak any number.
Wait, is the Authy App SMS based as well? I thought it just used a clock sync to generate the keys like GA does? I could be totally wrong as I haven't set it up, but that's what I gathered from reading their site and downloading their app?
I thought the main difference was that the 2FA service details were saved in the cloud so you could sync up to multiple mobile devices using the Authy app?
Authy backs up the 2FA secrets to the could to enable "multi-device support". To restore the backup it's usually a matter of verifying your phone number via SMS. See how this turned bad?
I'd recommend disabling multi-device support which is enabled by default or adding a backup/restore prassphrase to make it more difficult to add new devices without also cracking the prassphrase.
