Sorry, but I think some comments below contain incorrect or partial info.
Authy can be used just as a SMS-based 2fa, and this is as insecure as Google SMS. Note that this is still more secure than you (or me) implementing you own code via sms, because they do intelligence on the phone numbers, especially on critical operations like changing phone/merging accounts.
Then there's Authy app with the TOTP code, similar to Google Authenticator. From a security perspective it is true that having Authy on multiple devices slightly decreases your security, as an attacker could steal any device and bypass your 2fa.
I'm not convinced when people say that they can turn off Authy with just a phone verification (i.e. stealing the phone number), vs you can't on Google Authenticator. The fact that you have Google Authenticator, maybe even as a default, doesn't mean you don't have SMS too as an option, so the same attack can happen on Google.
Also, note that for many critical operations, in Authy and Google, you receive a notification. In particular, if you have many devices connected, you'll receive multiple notifications with an higher probability of catching the issue on time.
It would be nice to see explicit examples of the attacks mentioned. If you have someone's password and phone number [], you have a lot, and you can probably fool Google, Facebook, or any big as you can fool Authy.
let's also remember that 2fa is the 2nd factor. Your first factor, the password, should be strong as well.
People say "Google Authenticator" because they feel silly saying "TOTP", which is a term that no normal user knows. But you can substitute any TOTP application for Google's (Duo's is a popular alternative, and there's no phone number link in the Duo onboarding process).
Facebook calls these "code generator applications" and maybe that term will catch on.
I'm not sure you're following. You don't have to register with Google or with Duo to use their TOTP applications. Google Authenticator installed on your phone doesn't ask for your Google account or your phone number; it just sits there waiting for you to show it a bar code for a TOTP site. Same with Duo.
Used that way --- the default way --- you can't bypass it with SMS.
Responses were like GA is better because there's no SMS.
This is true if you look at GA vs Authy mobile apps.
This is false, if you look at the consumer services where you enabled 2fa (Google, Facebook, Twitter, Instagram, Coinbase, Twitch...). They all require SMS to setup 2fa, and let you use SMS to bypass GA.
You can not bypass GA with an SMS (the TOTP), you can bypass the service 2fa, because for availability reasons they must provide you more than a single 2fa method.
Authy can be used just as a SMS-based 2fa, and this is as insecure as Google SMS. Note that this is still more secure than you (or me) implementing you own code via sms, because they do intelligence on the phone numbers, especially on critical operations like changing phone/merging accounts.
Then there's Authy app with the TOTP code, similar to Google Authenticator. From a security perspective it is true that having Authy on multiple devices slightly decreases your security, as an attacker could steal any device and bypass your 2fa.
I'm not convinced when people say that they can turn off Authy with just a phone verification (i.e. stealing the phone number), vs you can't on Google Authenticator. The fact that you have Google Authenticator, maybe even as a default, doesn't mean you don't have SMS too as an option, so the same attack can happen on Google.
Also, note that for many critical operations, in Authy and Google, you receive a notification. In particular, if you have many devices connected, you'll receive multiple notifications with an higher probability of catching the issue on time.
It would be nice to see explicit examples of the attacks mentioned. If you have someone's password and phone number [], you have a lot, and you can probably fool Google, Facebook, or any big as you can fool Authy.
let's also remember that 2fa is the 2nd factor. Your first factor, the password, should be strong as well.