If you have been using Authy for some time, you probably realized that there are a lot of different passwords. This article aims to explain the difference between these passwords and what security precautions you should take in order to keep your tokens safe.
The Backups password is, as the name implies, used for QR code tokens you have added to the app yourself and sent to the Authy server for safe keeping in case your phone is lost / damaged. When you enable backups on your Authy app, the backups password encrypts all your tokens and uploads them to our servers. This means that if our servers were to be compromised, no hacker would be able to steal your tokens unless he also knew your backups password. This password is never stored in our servers for your security so make sure you write it down somewhere safe or use a password only you know: if you ever forget your password you will be unable to decrypt your tokens. You can always change your Backups Password by going to Settings > External Accounts > Change Backups Password. This will require entering that password the next time you access any other device.
The PIN is a 4 digit password with a "Protect Entire App" option that locks your app so others will not be able to access your tokens if they were to gain access to your physical device. Like the Backups Password, the PIN is never stored in our servers, but if you forgot it, you can simply reinstall the app and register Authy to that phone number. For extra security, push notifications will be sent and some high-risk bitcoin accounts will require users to wait 24 hours during an account recovery notification period to make sure the user trying to access the account is legitimate. The PIN is not synced to other devices, it is configured locally, and can be turned off from Settings.
The Master Password
The Master Password is like the PIN, but for your computer. If you have forgotten the Master Password, you may recover by reinstalling the app.