...which is not as secure as a unclonable totp system
...which is not as secure as a hardware token based otp system
...which is not as secure as a hardware token that also requires you enter a pin and a fingerprint to activate it and only communicates using hard coded encrypted messages with the legit service that issued it.
To defeat the Authy account recovery process, you need to perform an active SMS attack (SIM swap, etc) and then prevent the target from seeing the recovery warning emails for 24 hours. Therefore, Authy customers should only tell trusted people that they are going on a weekend off-the-grid camping trip.
The word "secure" is not binary.
sms as a 2fa is secure.
Just not as secure as a authy totp account
...which is not as secure as a unclonable totp system
...which is not as secure as a hardware token based otp system
...which is not as secure as a hardware token that also requires you enter a pin and a fingerprint to activate it and only communicates using hard coded encrypted messages with the legit service that issued it.