Authy: Are Your Keys Safe?

TL;DR

No, Authy doesn’t store all your 2FA keys on their servers even in multi-device mode. They use a clever system of encryption and local storage with optional cloud backup. However, there are still security considerations – keep your devices secure and understand the backup options.

Understanding How Authy Works

Authy is a two-factor authentication (2FA) app that generates codes for various online accounts. It’s popular because it supports multiple devices. Here’s how it works, and why your keys aren’t necessarily all on their servers:

1. Key Generation & Storage

1. Local Encryption: When you add an account to Authy, the secret key (used to generate 2FA codes) is encrypted on your device using a unique key derived from your phone number and app PIN.
2. Database: Authy stores metadata about your accounts (account name, issuer, etc.), but not the raw secret keys themselves. This metadata is linked to your phone number.
3. Multi-Device Sync: When you add a device, Authy syncs this metadata – allowing codes to be generated on all devices. The actual key remains encrypted locally on each device.

2. Cloud Backup (Optional)

Authy offers an optional cloud backup feature. This is where things get more important:

1. Encrypted Backups: If enabled, your encrypted keys are stored on Authy’s servers. They claim to use strong encryption for these backups.
2. PIN Dependency: Even with cloud backup, you still need your Authy PIN to decrypt the keys.
3. Security Trade-off: Cloud backup provides convenience (restoring accounts if you lose a device) but introduces a potential single point of failure – although Authy uses end-to-end encryption, it’s another place where data could be compromised.

3. How to Check Your Backup Status

To see if cloud backup is enabled:

1. Open the Authy app.
2. Go to Settings (usually a gear icon).
3. Select Backup.
4. It will tell you whether backups are on or off.

4. Security Best Practices

Here’s how to keep your Authy accounts secure:

• Strong PIN: Use a strong, unique PIN for your Authy app. Don’t reuse passwords!
• Device Security: Protect your devices with passcodes/biometrics. A compromised device means a compromised Authy account.
• Consider No Backup: If you’re highly security-conscious, disable cloud backup and keep offline backups of your recovery codes (if available).
• Recovery Codes: Some services offer recovery codes when setting up 2FA. Store these securely in a password manager or physical location.

5. What if Authy is Compromised?

If you suspect your Authy account has been compromised:

1. Revoke Access: Immediately revoke access to all accounts protected by Authy. This usually involves logging into each service and disabling/re-enabling 2FA.
2. Contact Support: Contact Authy support for assistance.
3. New Device: Set up Authy on a new, secure device.