The main issue I have with Authy is caused by their apparent efforts to convince websites to implement two-factor authentication in such a way that it exclusively works with Authy, despite offering no advantages over TOTP. (My understanding is that the API effectively creates a TOTP token, which if you can intercept, can be used in a normal TOTP client.)
Cloudflare used this for years, and Humble Bundle uses it right now. It is hard to understand why this is a thing if Authy is not paying companies to restrict a critical security feature to users of their app.
I have read about this a little from the user POV, but I have not yet used Authy to build a service which provides 2FA, so I do not understand the details enough to really talk intelligently about the differences.
I do recall reading that Authy uses SHA256 and 7 digit codes instead of SHA1 and 6 digit codes like Google Authenticator (cannot find source). However, the Key URI Format documentation in the Google Authenticator project [1] does have optional support for SHA256 and configurable number of digits, so Google Authenticator could support that too if it wanted to.
Cloudflare used this for years, and Humble Bundle uses it right now. It is hard to understand why this is a thing if Authy is not paying companies to restrict a critical security feature to users of their app.