Authy 2FA best practices
Full disclosure, I'm a Solutions Architect for Authy and am pretty familiar with our product. :)
First off, absolutely DO NOT turn off 2FA! The real use-case you're preventing with 2FA is someone compromising the website's database and running off with the login/password combination. Always use 2FA!
With 2FA enabled, you are also notified that someone is trying to login and you can subsequently deny them access. If you turn off 2FA, you 1) won't be notified and 2) won't be able to deny them access.
Regarding your syncing concerns let me reassure that we've thought about a lot of these issues and have a solid technical solution.
First off, syncing is opt-in (as you've noticed). Secondly, the Authy OTP seeds between each of these devices ARE DIFFERENT. Here is a side-by-side image of the Authy Desktop app and the Authy iPhone app. Notice the values are different!
Google Authenticator seeds which are stored in Authy will be the same as they have only a single seed value which needs to be stored and shared. This is a limitation of the Google Authenticator approach. These seed values are encrypted via your backup password.
If your phone is lost or stolen, you can disable that device's access via any of your other devices.
For more information on the security around Authy's multi-device support, check out this Q/A exchange: Authy - is my backup secured by only my password or 2FA s well
Hope this helps! Let me know if you have any more questions.
Cheers, - Josh @ Authy
p.s. I use 1Password as well and use a pretty gnarly password for backup & sync.
As cornelinux notes, this is not true second factor.
However, it is close enough for most people's use cases and definitely much more secure than relying on password alone.
In order to setup Authy in the first place you need a "second factor" verified by phone call/SMS, which is not true second factor either. However, again close enough for most use cases.
Any attacker gaining access to your Authy password would need to intercept the phone/SMS authentication as well, therefore I would say it adds significant security over password alone.