Hope @Leo might chime in on this one, as I started using Authy when hearing him recommend it.
After discussion about SMS 2FA on Lastpass, got to thinking about Authy.
Authy uses mobile phone number as user name. On the desktop app (Mac), you enter your mobile number, then it gives you a dropdown menu offering 2FA options of;
“Existing Device” (your Authy App on phone requires response),
Existing Device option is great. I have enabled Face ID on iPhone Authy App, so not only do I have to have access to the phone, it also has to pass the Face ID feature.
But if I choose the SMS option, I get the normal 6 digit code sent via SMS, and when I enter it on desktop, I get immediate access to the authenticator codes.
Am I missing something here? Seems as insecure as any other SMS 2FA option, and puts all my Authenticator codes at risk.