One important note, though, is that the backup and multidevice requires their cloud servers* so the threat model is a little different. They've got a blog on how they do the cloud backup**, but since you need a password it either needs to be something you can remember or be stored in a password vault that doesn't rely on getting a 2fa code from authy for access.
* for the paranoid, there's a mode where it doesn't backup to the cloud, which makes it function the same as google auth, but that does defeat a lot of authy's benefits.
I once broke my phone with Google Authenticator on it and I spent 2 days locked out from my work accounts. Never risking that again.