Your TOTP accounts can be moved between devices using Authy, correct? That means Authy has access to the plain text secrets at some point. So mistake #1: your "secrets" aren't secret, they are merely held in escrow. If they "were evil", or perhaps if a state actor, or if you pissed a rouge employee off at Authy, they could absolutely leak your credentials.
#2: The authy app lets you recover your account using SMS. So anyone that wants to pull off a simjack attack on you can login to your Authy as you and obtain the keys to the kingdom.
The entire point of TOTP is the "Secret" is held locally in an oracle. If you break that constraint, you've broken the security of the protocol.
#2: I believe they encrypt the backed-up tokens locally with a user-provided password [1]. The same password must be used to restore the backup. A malicious agent that "clones" your simcard will be able to obtain only an encrypted copy of your token data. This seems secure enough for me, but maybe I'm missing something.
Authy has access to the secrets if someone enables cloud backups, but they're encrypted with a user-provided key that must be re-entered upon syncing to a new device.
I'm aware of the simjack risk, but that would require:
1. That I'm using cloud backups
2. That the attacker has also obtained my backup key
None of this seems fair to summarize as:
> Your security tokens can be reset using SMS.
I'm not claiming Authy is perfect, but it seems to use a reasonable approach for people who don't fall under the "high value target" category.
#2: The authy app lets you recover your account using SMS. So anyone that wants to pull off a simjack attack on you can login to your Authy as you and obtain the keys to the kingdom.
The entire point of TOTP is the "Secret" is held locally in an oracle. If you break that constraint, you've broken the security of the protocol.