Authy allows you to backup and sync your 2FA account tokens across multiple devices. Enabling backups requires you to set a password that is used to create a secure key for encrypting your tokens. The keys are then uploaded to the Authy server, where they can be synchronized on other devices logged in under your account, but require decryption with your password before they can be used.
For more information, please see our article Backups and Sync in Authy.
Do Authy or Twilio employees have access to my 2FA account tokens when I enable backups?
No. When you enable backups in the Authy app, you will be asked to enter and confirm a backup password. The Authy app derives a secure key from that password, which is then used to encrypt the 2FA account tokens before they're sent to the Authy servers. Neither the password or key is ever sent to or stored on Authy's servers.
How do you derive encryptions keys from passwords?
We use the National Institute of Standards and Technology (NIST) recommended algorithm PBKDF2.
What does Authy recommend for creating backups passwords?
In general, we recommended Authy users choose high entropy passwords, or those that lack order and predictability. The easiest way to generate a secure password would be to use password managers, or a passphrase generator like the one found here: https://www.rempe.us/diceware/#eff.
Specifically, we suggest your password be a minimum 10 characters in length, but recommend 20 characters or more. If you chose to use a passphrase, we suggest a minimum or 5 words in length, but recommend 8 words or more.
Does Authy know what 2FA account tokens I've added?
Only if you enabled backups can we know what 2FA accounts you have added:
- For accounts added by a scanned QR code, the Authy app uploads the QR code. QR 2FA account sites/providers are free to decide what data is in the QR code, but typically this consists of the site name and the user name or email address.
- For accounts manually added, the Authy app only uploads the logo, which can be either manually changed by the user in-app.
A user could add all tokens manually (without using QR codes), to avoid sharing any information the QR code might add.
Why can't I change or reset my backup password?
If you have a access to another Authy app installation that is already configured and has all your unencrypted 2FA account tokens, you can change the backups password at anytime. When your password is changed, we re-encrypt everything, and then send the encryption keys back to our server.
If you either don't have access to another Authy app installation or you forget the backups password you created, there is nothing we can do. Your 2FA tokens will be permanently lost.
Alert: For the best backup coverage, we recommend you keep your backups password in a safe location, and also enable Multi-device and configure another Authy app installation. If you lose or forget your backups encryption password, and don't have access to another configured and synced Authy installation, we won't be able to help you recover your 2FA tokens. We never store your backups password, so all of your 2FA tokens will be permanently lost.
Users that are unable to pass the password check will need to start over with a new Authy account, and will likely need to contact support for any accounts previously secured with Authy that you are now locked out of.