What are the possible attack vectors for software such as Authy, Google Authenticator, Microsoft Authenticator, etc?
-Pass the cooking, but that is also the case for U2F.
-Malware on the phone grab the picture, when one is scanning the QR code containing the private key of the M2F code.
-Malware stealing the private keys of the app, in the M2F on the phone. Is this possible? Can the malware read the contents of lets say, Google Authenticator, of their stored keys?
-Stealing the phone, of course.
-Acessing the cloud where automatically backups are generated. Authy, Microsoft Authenticator.