Many security-conscious product companies go through an independent audit of their security processes to become certified. This doesn't necessarily mean that the code is secure, but it does mean that the company/product follows procedures and policies designed to ensure that the company and its products are secure, such as going through an annual penetration test. According to their website Authy is SOC2 compliant, so you should be able to ask them for their report (you typically have to sign a NDA). Importantly, you should read the report, ESPECIALLY the exceptions. It should give you a good feel for their security model and security defenses.

That's interesting. You think they'd let a CS student look it over?

As long as you're considering buying it and are willing to sign a NDA. Twilio also has a generic white paper that's available without scheduling a demo, which may be more accessible. If you're having trouble with Twilio/Authy giving you permission to view the SOC2, you should reach out to one of the evangelists.

I haven't looked in to it past being an Authy user but when restoring from backup I was a bit miffed that the service (Google, GitHub, Other, etc) and the comment (e.g. username, email) were able to be seen without inputting my backup password.

I ask myself the same question and I always stop at thinking that its just the 2FA tokens and not the actual passwords.