Thanks for the round-up, but I have a response in regards to use or not to use Authy.
One thing you did not touch on is having a phone number which is not tied to your phone can be used for Authy. I have my Google number tied to Authy and so if someone wanted to sim swap my my phone number it would not effect me except I would not have a phone to use until it was resolved. I would recommend setting your Authy number to a Google number or a similar service, which would negate the whole sim swap issue you ran into, which I agree would cause you some big issues.
We both agree that SMS is what you should use as a last resort. What Authy does for you, if you request a token via Authy’s service and that request is in the form of an SMS, Authy will intercept that request and then do a push notification through the app. That in itself is a reason to use Authy. Let’s say I lose my phone, which is never a good thing for anyone. First, everyone should have a pin code on their phone or a pattern or some other mechanism that requires access to unlock the phone. Second you can put a pin on Authy so it can’t be opened without that pin, and third I have another app that requires a different pin for specific apps.
Obviously being hit with a sim swap is different than losing your phone, but I wanted to show that you secure Authy in multiple ways if you lose your phone and not have a sim swap performed on you.
If you use a Google or similar type number for your Authy account which is not tied directly to your phone, you should not need to worry about a sim swap, and to change that number you would need access to your Google or other account which would require a separate login/password before you could initiate those requests.