[Spivak]

While this is true I think if anyone had control of my password database they could remove the 2FA from most of my accounts without much issue.

Also where is the password to your Authy account?

And where are your 2FA backup codes?

[jorvi]

You just give Authy a relatively simple password, and don't save it anywhere. If you don't have Authy in multi-device mode it will be impossible to activate another session, and if you do activate another session while in multi-device mode Authy will check if any other devices are active and if so will ping those devices with a verification request. It checks for an active device so that if you have only one device active and do a reinstall you can still activate. I have my 2FA backup codes in Dropbox, which itself is behind 2FA.

In essence someone has to both get my 1Password password, 1Password secret key and either compromise my phone (for Authy) or my phone number (to recover 2FA backup codes via Dropbox SMS recovery), or my computer (for direct Dropbox access). But very few organisations have that amount of capability and I have nothing stored in my accounts that is worth that capability. If I had, I would store it behind GPG and a password that is only in my mind.

Also, to lose access I'd need to lose my 1Password secret key or forget Authy password + get logged out of all my Dropbox devices simultaneously. The chances of that are rather slim.