If you have been using Authy for some time, you probably realized that there are a lot of different passwords. This article aims to explain the difference between these passwords and what security precautions you should take in order to keep your tokens safe.
Authy Backups Password
This is a password that cannot technically be recovered or changed by a member of the Authy team or any third party. The Backups password is never sent nor stored in our servers for your security.
The Backups password is, as the name implies, used for QR code tokens you have added to the app yourself and sent to the Authy server for safe keeping in case your phone is lost or damaged. When you enable backups on your Authy app, the backups password encrypts all your tokens and uploads them to our servers. This means that if our servers were to be compromised, no hacker would be able to steal your tokens unless he also knew your backups password.
Alert: The Backups password is never sent nor stored in our servers for your security, so make sure you write it down somewhere safe or use a password only you know. If you ever forget your backups password, your account tokens will be permanently lost.
Users that forget their backups password will be unable to decrypt these tokens, and will likely need to contact the company/website they are trying to login to regain access.
For help enabling and disabling backups, or changing the backups password, please see Backups and Sync in Authy.
After restoring access to your accounts to add the token generators anew to the Authy app - first you have to remove all undecrypted tokens from the app. For help on deleting tokens, be it decrypted or undecrypted, please see Delete, Hide, or Decrypt Two Factor Authentication (2FA) Account Tokens in the Authy App.
Authy Mobile App Protection PIN
The App Protection PIN is a 4 digit password for your Authy app on iOS and Android. Once enabled, the App Protection PIN locks your app so others will not be able to access your tokens if they were to gain access to your physical device. The App Protection PIN also supports fingerprints on supported Android devices, and Touch/Face ID on supported iOS devices.
Alert: Like the Backups password, the App Protection PIN (and optional biometric data) is never stored in our servers. Make sure you write it down somewhere safe or use a PIN that only you know. If you ever forget your PIN, any 2FA account tokens that have not been backed up will be permanently lost. Users can, however, recover their Authy account by following the process here: Reinstalling Authy and Restoring Access to your Account.
For help enabling and disabling mobile App Protection, or changing the PIN, please see Authy Mobile App Protection PIN for iOS and Android.
Authy App Master Password
The Master Password provides an additional security layer for your Authy 2FA tokens in the Desktop and Chrome apps. Once enabled, the Master password will encrypt your tokens whenever the Authy App is opened, or when your computer goes idle. If a hacker somehow gains access to your computer (for example, when you go out for lunch and leave your PC at your office), they would need the Master Password to gain access to your tokens.
Alert: Like the Backups password and App Protection PIN, the Master Password is never stored in our servers. Make sure you write it down somewhere safe or use a password that only you know. If you ever forget your password, any 2FA account tokens that have not been backed up will be permanently lost. Users can, however, recover their Authy account by following the process here: Reinstalling Authy and Restoring Access to your Account.
For help enabling and disabling Master Password, or changing the password, please see Authy App Master Password for Desktop and Chrome.