Setting up the Authy app requires you to provide a phone number, which we verify via an SMS text message or voice call. After enrollment, we recommend configuring another Authy app elsewhere (your phone and a tablet, computer, or another phone) in case you ever get a new phone, and need to recover your account. After you have setup two Authy app installations, we strongly suggest disabling multi-device. Doing this will prevent an attacker from being able to configure an Authy app with your account on another device.
There are account recovery options outside of multi-device, but those require the attacker to compromise your primary email. These also take a minimum of 24 hours, during which you would receive email notifications, and could request a cancellation.
Authenticator tokens are also encrypted, so without your strong password, it's unlikely an attacker would be able to decrypt them.