Backups password, Master password, and PIN protection with Authy

If you have been using Authy for some time, you probably realized that there are a lot of different passwords. This article aims to explain the difference between these passwords and what security precautions you should take in order to keep your tokens safe.

Authy Backups Password

The Backups password is, as the name implies, used for QR code tokens you have added to the app yourself and sent to the Authy server for safe keeping in case your phone is lost or damaged. When you enable backups on your Authy app, the backups password encrypts all your tokens and uploads them to our servers. This means that if our servers were to be compromised, no hacker would be able to steal your tokens unless he also knew your backups password.

Alert: The Backups password is never stored in our servers for your security, so make sure you write it down somewhere safe or use a password only you know. If you ever forget your backups password, your account tokens will be permanently lost.

Users that are unable to pass the backups password check will be unable to decrypt these tokens, and will likely need to contact the 2FA account's support team to regain access to any account that you are now locked out of.

For help enabling and disabling backups, or changing the backups password, please see Backups and Sync in Authy.

Authy Mobile App Protection PIN

The App Protection PIN is a 4 digit password for your Authy app on iOS and Android. Once enabled, the App Protection PIN locks your app so others will not be able to access your tokens if they were to gain access to your physical device. The App Protection PIN also supports fingerprints on supported Android devices, and Touch/Face ID on supported iOS devices.

Alert: Like the Backups password, the App Protection PIN (and optional biometric data) is never stored in our servers. Make sure you write it down somewhere safe or use a PIN that only you know. If you ever forget your PIN, any 2FA account tokens that have not been backed up will be permanently lost. Users can, however, recover their Authy account by following the process here: Reinstalling Authy and Restoring Access to your Account.

For help enabling and disabling mobile App Protection, or changing the PIN, please see Authy Mobile App Protection PIN for iOS and Android.

Authy App Master Password

The Master Password provides an additional security layer for your Authy 2FA tokens in the Desktop and Chrome apps. Once enabled, the Master password will encrypt your tokens whenever the Authy App is opened, or when your computer goes idle. If a hacker somehow gains access to your computer (for example, when you go out for lunch and leave your PC at your office), they would need the Master Password to gain access to your tokens.

Alert: Like the Backups password and App Protection PIN, the Master Password is never stored in our servers. Make sure you write it down somewhere safe or use a password that only you know. If you ever forget your password, any 2FA account tokens that have not been backed up will be permanently lost. Users can, however, recover their Authy account by following the process here: Reinstalling Authy and Restoring Access to your Account.

For help enabling and disabling Master Password, or changing the password, please see Authy App Master Password for Desktop and Chrome.

Have more questions? Submit a request