I'm considering to setup Two Factor Authentication on my SSH accounts (OpenSSH, Ubuntu). I was looking into Authy-SSH but I'm wondering what the possible disadvantages are?
Also, can I lock myself out when the server get it's time out-of-sync or when I lose my phone?
You need to decide if you want to do 2FA on your own of if you want to trust an external entity. This is not only to not trust authy but to not trust any attacker, who might intercept the authentication request.
Each time you want to login via SSH an HTTP API Request is sent to authy.com. Authy decides if access is granted or not.
There are other hosted services like authy but there are also solutions which you can run on your own and thus you control the authentication decision. You can use the google authenticator PAM module or Yubikey, which work locally. Or you may host your own authentication server like privacyIDEA. (Displaimer: I am a developer of privacyIDEA).
What also sounds a bit strange to me to use ForceCommand and not provide a PAM module to be integrated into the PAM stack. If it was integrated into the pam stack, then you could do backup scenarios like: if OTP fails still authenticate with password or with ssh key...
You can not lock you out when you get out of sync. THere are means to resync. You can not lock you out, when you loose your phone. You can always ask authy to says "yes" to the next authentication request - however it looks like ;-)
Key-based authentication with tied-down keys (ie, keys restricted by the IP range they can be used from and/or the command they can be used to invoke) is a pretty safe way of being able to use SSH-based resources from scripts. If you go fully 2FA on
sshd, you lose the ability to have automated tasks access resources without operator intervention.