Backups password, Master password, and PIN protection with Authy

If you have been using Authy for some time, you probably realized that there are a lot of different passwords. This article aims to explain the difference between these passwords and what security precautions you should take in order to keep your tokens safe.

Backups Password

The Backups password is, as the name implies, used for QR code tokens you have added to the app yourself and sent to the Authy server for safe keeping in case your phone is lost / damaged. When you enable backups on your Authy app, the backups password encrypts all your tokens and uploads them to our servers. This means that if our servers were to be compromised, no hacker would be able to steal your tokens unless he also knew your backups password. This password is never stored in our servers for your security so make sure you write it down somewhere safe or use a password only you know: if you ever forget your password you will be unable to decrypt your tokens. You can always change your Backups Password by going to Settings > External Accounts > Change Backups Password. This will require entering that password the next time you access any other device.

PIN Protection

The PIN is a 4 digit password with a "Protect Entire App" option that locks your app so others will not be able to access your tokens if they were to gain access to your physical device. Like the Backups Password, the PIN is never stored in our servers, but if you forgot it, you can simply reinstall the app and register Authy to that phone number. For extra security, push notifications will be sent and some high-risk bitcoin accounts will require users to wait 24 hours during an account recovery notification period to make sure the user trying to access the account is legitimate. The PIN is not synced to other devices, it is configured locally, and can be turned off from Settings.

There are two PIN options: PIN enabled, and Protect Entire App. Protect Entire App is recommended. If you select the PIN without enabling "Protect Entire App", the PIN will only be required to access the settings page in Authy, where your phone number, email, AuthyID, and device controls are visible/changeable. This lower level of security is useful in organizations where users share the app, or where the primary risk is revealing the email address you used to set up the app.

The Master Password

The Master Password provides an additional security layer for your tokens. It is available in both the Authy for Desktop and Authy Chrome apps. Whenever your computer is idle, the Master password will be used to encrypt your tokens so if a hacker gained access to your computer (for example,  when you go out for lunch and leave your PC at your office) they would need the Master Password to gain access to your tokens.

The Master Password is like the PIN, but for your computer. If you have forgotten the Master Password, you may recover by reinstalling the app.

Have more questions? Submit a request