Authy - is my backup secured by only my password or 2FA s well
I'm a Solutions Architect with Authy and am happy to clarify this issue for you.
As you noted, we do require a password to encrypt and store your 'backup keys'.
We also have an opt-in feature which allows for the syncing of these keys across multiple devices (iPhone, Android, Chrome Extension). When you add a second device, you need to provide the first phone number to get access to those keys. At this point, you can choose either an SMS/Voice or "Use Existing Device" (your initial phone) notification for accessing your Authy account.
If you choose SMS or Voice, your initially registered phone number will get a notification with a token to gain access to the Authy account.
If you choose to 'Use Existing Device', you'll receive the following prompt on your initially registered device as seen here:
Once you've added a device, you can always see (and remove) devices that are associated with your account from any device.
To answer your question, before an attacker can sync keys down to an additional device, they will have to have approved the addition of another device via a token or the "Use Existing Device" feature on your initially registered device. If they are able to provide this approval, then they already have access to your primary phone... which is not ideal.
I hope this clears everything up for you.
Cheers! - Josh @ Authy
tl;dr Even with your password, this attack vector still requires user-approval from your initially registered phone number.
stl;dr Your Authy ID is tightly coupled with the phone number initially used during registration. Having the "B4dpassw0rd" will not help the attacker.
Without requiring any access to a user's phone, a hacker could use the SMS/Voice option & exploit the vulnerabilities documented in the Signaling System 7 (SS7) protocol to intercept a token. They could also use an IMSI catcher to eavesdrop on tokens in transit. This isn't unique to Authy, since no 2FA system that relies on SMS has mechanisms to prevent this.