the Authy 2FA isnt bad, but U2F would be even better. with U2F one can use a hardware token (usually over USB) to sign in, and the best thing is that it’s almost impossible to do phishing U2Fs, because the browser has to be convinced that
a) the login is actually dash.cloudflare.com (or whatever domain selected)
b) the connection is HTTPS.
before anything works.