Most HOTP/TOTP apps are essentially the same; the algorithms are publicly documented, so most users merely see slight UI differences. However, there are a few security things you might consider when choosing one:
- Is it open-source? Google Authenticator, for instance, used to be, but no longer is (which IIRC directly inspired RedHat's FreeOTP). However unlikely it is that Google has introduced code to steal users' tokens, it is possible; you also miss the other benefits of open-source, like being able to hunt for bugs in the source directly.
- Are secrets backed up somewhere external? I recently had my phone unexpectedly die, and this meant I had to reset my 2fa codes on a bunch of services (while not having access to my phone number for sms or phone calls, the most common backup method). This was a huge pain. It's not surprising that many users would like to use a service that stores the underlying secrets somewhere external, so they can continue to use them in case of a device switch. However, this comes with an inherent risk: that factor is no longer "something you have", but access to your account, which is often another "something you know". You can make the argument that codes are no longer a second factor. Authy (optionally) falls into this category.
Beyond that, you've got considerations like "Does this integrate nicely into my existing tools?" that are very real UX considerations, but don't impact security other than in how they persuade users to use (or not use) MFA.