So fun story, I recently switched away from Authy for various reasons, but the key one was that I had to restore from a backup on a device and when I did so I realized the Authy had never actually deleted any of the 2FA/TOTP accounts I'd configured over the years, things that had been deleted on device literally 5+ years ago were still stored and available on request via their API.
In general, after that I started poking, and discovered a lot of things I hadn't bothered looking into before that make me extremely suspect of Authy's general security.
For those looking for an alternative, I use 2FAS and Yubico Authenticator with a Yubikey now. Yubikey only allows you to store up to 32 TOTP slots, which is very limiting (I have more than 60 TOTP accounts for 2FA), so I use two apps and "tier" my 2FA.
In general, after that I started poking, and discovered a lot of things I hadn't bothered looking into before that make me extremely suspect of Authy's general security.
For those looking for an alternative, I use 2FAS and Yubico Authenticator with a Yubikey now. Yubikey only allows you to store up to 32 TOTP slots, which is very limiting (I have more than 60 TOTP accounts for 2FA), so I use two apps and "tier" my 2FA.