Yesterday Google Authenticator released an update for their iPhone App that wiped users keys when installed. That prompted a lot of users to switch to Authy and use our key backup feature. Immediately some people started raising concerns about our backup feature – but unfortunately, most of what they’re saying is false or incorrect. We want to make sure everyone knows the real facts.
First and most importantly: backups are optional and are off by default.
If you do not enable them, your accounts will only be stored inside your phone (just like all other apps do). So saying that you have to send us your keys to use Authy is completely incorrect. You might not like backups, but there are thousands of users who do. If you don’t, simply keep them off.
Second: backups are encrypted before uploading them to the server and we do not have the decryption key
Most of what is said about how we handle encryption is entirely wrong. I’d like to describe exactly how we do it. To make backups compatible across devices both the iOS and Android app use the same method for encryption/decryption.
Backups are done in several steps. I’ll try to be as descriptive as possible to avoid any confusion or misinterpretation.
Lastly, I just want to re-iterate that all encryption and later decryption happens inside your phone.
If you have any questions please contact us at [email protected] We’ll update this post as new questions/issues arise.