Twilio’s Authy is a two-factor authentication app that uses a zero-trust approach to protect users against unauthorized access through compromised credentials and weak passwords.
It does this via an easy-to-use API along with the HMAC RFC algorithm. This is a security algorithm that rotates a six-digit number token every 30 seconds. These single-use tokens, also referred to as Push notifications or Authy tokens, are more secure than passwords and they help keep track of individual users that are authenticating on Authy servers.
You’ll need to enter one of these to securely access your Authy account. You can use the app to get the randomly generated token, but if you don’t have access to the app you can request an SMS to be sent to your cell phone.
SEE: Mobile device security policy (TechRepublic Premium)
If you are offline or out of data and unable to get an SMS or Push authentication on your phone or desktop, you can still login using one of your backup codes.
Once a backup code is used it automatically becomes inactive. If you lose your codes or you think they’ve been stolen, you can create a new set of 10 backup codes. The old set of codes will automatically become inactive.
Authy has other features like Encrypted Backups that add even more security for users and help with account recovery when they lose their device. This guide explains how the Authy Backup feature works, and how to enable or disable backups.
How Authy backup works
It’s important to note that the Authy backup feature is optional. You need to manually enable it within the Authy app settings. If you choose not to enable the backup feature Authy will function like the Google Authenticator app and store your accounts on your phone instead of in the cloud. That means you won’t be able to recover your data if you lose your phone because without backups Authy can’t synchronize your 2FA tokens to your new device.
When you enable the Authy backup feature, your phone encrypts all your existing 2FA accounts data locally before sending it to Authy’s cloud servers to be stored. You are then required to create a key to decrypt your data. This key is your backup password, and it is securely stored on your phone – never sent to Twilio Authy servers.
You’re the only one who has access to your backup password and neither Authy nor anyone affiliated with Authy can decrypt your data to view what’s inside. That means if you lose your backup password Authy can’t restore your accounts. Hence, it is advisable that you either memorize your backup password or write it down immediately after creation and store it in a deposit box.
How to create an Authy backup password
Backup passwords allow you to encrypt and decrypt your 2FA account tokens and access all of your tokens on an Authy app on other configured devices. Having a backup password also ensures that you always have secure access to your 2FA account tokens in case you lose access to your devices or your Authy account.
After you activate backups, you will be asked to create a password that will be used to generate a secure key for encrypting your Authy 2FA account tokens. It’s advisable to use passwords with high entropy, or those that lack order and predictability.
Passwords must be at least eight characters long with uppercase letters, lowercase letters, numbers and symbols. You may wish to use password managers, as they are one of the easiest ways to generate a strong and secure password.
Can I recover my lost backup password?
Since the backup password is never sent to Authy or stored in their servers, if you lose your backup password, they are unable to recover your password. That means if you buy a new phone or you want to replace an old or lost device, you will not be able to decrypt your 2FA tokens from Twilio Authy servers and access them within the Authy app on your new device.
If you still have access to the original device on which you set up the Authy app with your 2FA account tokens for the first time, you can re-configure your Authy app on your new device.
How to reset your backup password
To reset your backup password, you’ll need to ensure all 2FA account tokens are decrypted on your device. Next, go to the settings menu and tap on Change Password in the Backup Password section.
Note that once you reset your backup password on one device, you will be required to enter this new backup password on all other devices with your Authy account.
How to enable or disable Authy backups
If you’re using the Authy app on Android or IOS, open the app and click the menu icon on the upper right corner. Select Settings, then tap the accounts tab to enable or disable backups. You’ll need to enter your backup password to enable the Backup and Sync options.
If you are using Authy on the desktop app for Linux, macOS or Windows, open the Authy Desktop app then click settings on the bottom right corner. Go to chrome_Settings.pn then tap the Accounts tab and select Authenticator Encrypted Backups. You’ll need your backup password.
Unlike other 2FA apps, Authy features an optional cloud backup option and you can use it on numerous devices.