REAL 2fa with SMS is marginally safer (but not much more so), since it requires password and SMS to do anything.
The problem is that nearly every single 2fa setup out there does something radically stupid such as use your 2fa method for password reset, or a combination of 2fa + email. This is horribly, horribly broken and worse than "no 2fa at all." All it takes is a SIM clone to steal your phone #, which you use to reset the email, and then email + phone/SMS can be used to reset nearly every single credential under the sun. The only exceptions are those that use proper 2FA such as one-time password apps -- but not Authy which just syncs your OTP/2fa credentials to the cloud and happily transfers to the cloned device :(
Could you elaborate on why Authy is not safe? In my setup,
1) after adding the devices I wanted to add, I've disabled multi-device (which keeps the existing devices, but prohibits adding new devices),
2) for new devices, it requires a backup password (once) to decrypt the credentials retrieved from the cloud, and
3) IIRC, it requires authorisation from one of the trusted devices to add a further device.
All in all, it seems much better (in terms of the security/availability trade-off) than Google Authenticator. But I've read opinions similar to yours a few times, and I wonder where they come from, whether they've been reasonable in the past, and whether they still are.
How well do you trust the customer service rep at Authy against social engineering? Especially when someone has control over your email, phone, and potentially many other accounts already.
It's certainly safer than only using a password if you use the same password on lots of sites, since the odds of any password database being hacked are higher than the odds of your phone being targeted.
