Ente Auth or bitwarden builtin one or keepassXC builtin one.
Migrating from Authy is a headache, though you don’t have to reset the tokens. I found a way to do it (1), but I had to do it manually because Authy only exported the email/user and the token. Now, if you are like how I used to be, having the same email for different accounts, the exported JSON will be confusing and there's no way to tell which account is for which service. Only in the Authy UI can you tell. I had to follow the order of the JSON and the app, one by one, for my 700+ accounts, and verify that it works by going to the service site and testing the generated code from the new app, and also changing the email to a unique one. It took a whole week!
Edit: to add, I wouldn’t recommend using Yubico or hardware-based ones unless you will have two or more replicas, losing them is easy compared to having your tokens backed up in an encrypted KeepassXC db for example.
Migrating from Authy is a headache, though you don’t have to reset the tokens. I found a way to do it (1), but I had to do it manually because Authy only exported the email/user and the token. Now, if you are like how I used to be, having the same email for different accounts, the exported JSON will be confusing and there's no way to tell which account is for which service. Only in the Authy UI can you tell. I had to follow the order of the JSON and the app, one by one, for my 700+ accounts, and verify that it works by going to the service site and testing the generated code from the new app, and also changing the email to a unique one. It took a whole week!
Edit: to add, I wouldn’t recommend using Yubico or hardware-based ones unless you will have two or more replicas, losing them is easy compared to having your tokens backed up in an encrypted KeepassXC db for example.
(1) https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d...