Authy isn’t the only such app, but it is a popular one. (I personally use Google Authenticator for this).
Once the app is installed, you set up authenticator code-based authentication using some page run by the web service. It will present you a “key” code number, often accompanied by a QR code which you can use for easier installation.
You then run the authenticator app and tap the button to add a new service. You then should have buttons to either manually enter the information (for Google Authenticator, this is the name of the account, the key code and a selection for time-based or counter-based codes) or to read the QR code with your phone’s camera (which will provide the same information). Use either one to set up the service.
And your done. On the app’s main screen, at least for time-based codes, you should see a list of configured accounts and a 6-digit code number associated with each one. The numbers change every 60 seconds or so and remain valid for the 60 seconds for which they are visible (and probably a little bit of slack, because clocks may not be 100% synchronized).
I’ve never used them with counter-based codes, so I’m not sure what that looks like, but typically counter-based systems don’t show anything until you tap a button to get a code, which can only be used once. When you request another code, you’ll get a different one.
This article has a pretty good description:
The nice thing is that the algorithm is an industry standard, so any app should work for any service. The thing that creates the security is the key value you use to set up each service. Anyone with the same key can replicate the sequence of codes, so you shouldn’t print or save the key after configuring your authenticator app. You should be able to generate new keys in the future if you need to set up a new app.