I'm currently digging into this and have no affiliation with Authy other than being a happy customer.

The author ace-one wrote, "Authy is designed to be easily moved between mobile devices in the event that you switch to a new phone, or your old phone is stolen or lost". And while this is true, the hacker would still have to activate a new Authy app on their device.

That process takes at least 24 hours according to the authy website.

During those 24 hours, Authy sends notification emails to the victim. Let's say their email was also hacked, I'm hoping a person would notice within 24 hours that their phone number had been ported, their email hacked and they were in the process of fixing their phone issue and changing passwords for their email accounts.