Facebook Icon Facebook Icon Twitter Icon Twitter Icon Linkedin Icon Linkedin Icon Blog Icon Blog Icon Checkmark Icon Checkmark Icon Small Checkmark Icon Small Checkmark Icon Small Checkmark Icon Small Checkmark Icon Clock Icon Clock Icon Cloud Icon Cloud Icon Cloud Upload Icon Cloud Upload Icon Compass Icon Compass Icon Medium count 1 Icon Medium count 1 Icon Medium count 2 Icon Medium count 2 Icon Medium count 3 Icon Medium count 3 Icon Medium count 4 Icon Medium count 4 Icon Medium count 5 Icon Medium count 5 Icon Medium count 6 Icon Medium count 6 Icon Medium count 7 Icon Medium count 7 Icon Medium count 8 Icon Medium count 8 Icon Medium count 9 Icon Medium count 9 Icon Medium count 10 Icon Medium count 10 Icon Medium count 11 Icon Medium count 11 Icon Medium count 12 Icon Medium count 12 Icon Medium count 13 Icon Medium count 13 Icon Medium count 14 Icon Medium count 14 Icon Medium count 15 Icon Medium count 15 Icon Device with a checkmark Icon Device with a checkmark Icon Device Icon Device Icon Documentation Icon Documentation Icon Dollar Sign Icon Dollar Sign Icon Extend Icon Extend Icon Eye Icon Eye Icon Gear Icon Gear Icon Globe Icon Globe Icon Graph Icon Graph Icon Guidelines Icon Guidelines Icon Laptop Icon Laptop Icon Layers with checkmark Icon Layers with checkmark Icon Key Icon Key Icon Lock Icon Lock Icon Paper Airplane Icon Paper Airplane Icon Pencil Icon Pencil Icon Phone Icon Phone Icon Reliability Icon Reliability Icon Reset Icon Reset Icon Shield with Checkmark Icon Shield with Checkmark Icon Timer Icon Timer Icon Tools Icon Tools Icon Tutorial Icon Tutorial Icon Upload Icon Upload Icon User with Checkmark Icon User with Checkmark Icon User Icon User Icon Wallet Icon Wallet Icon Case Study Icon Case Study Icon Video Icon Video Icon White Paper Icon White Paper Icon

How the Authy Two-Factor Backups Work

2016-03-01_0248Yesterday Google Authenticator released an update for their iPhone App that wiped users keys when installed. That prompted a lot of users to switch to Authy and use our key backup feature. Immediately some people started raising concerns about our backup feature – but unfortunately, most of what they’re saying is false or incorrect. We want to make sure everyone knows the  real facts.

First and most importantly: backups are optional and are off by default.

If you do not enable them, your accounts will only be stored inside your phone (just like all other apps do). So saying that you have to send us your keys to use Authy is completely incorrect. You might not like backups, but there are thousands of users who do. If you don’t, simply keep them off.

Second: backups are encrypted before uploading them to the server and we do not have the decryption key

Most of what is said about how we handle encryption is entirely wrong. I’d like to describe exactly how we do it. To make backups compatible across devices both the iOS and Android app use the same method for encryption/decryption.

How the Authy key backups work.

Backups are done in several steps. I’ll try to be as descriptive as possible to avoid any confusion or misinterpretation.

  1. We ask you to enter a password. The password has to be greater than 6 characters and we recommend at least 8.
  2. Your password is then salted and ran through a key derivation function called PBKDF2. The details of how this is done are quite important:
    • We use SHA-256 which is slower than SHA-128. (slow is good here).
    • We use 1000 rounds. This number will increase as the low range Android phones processor power increases.
    • We salt the password before starting the 1000 rounds.
    • The salt is generated using a secure random.
  3. Using the derived key, each authenticator key is encrypted with AES-256 in CBC mode along with a different IV for each account.
    • Some Authenticator keys are unfortunately 128 bits or less. In such cases. we pad them using PKCS#5.
  4. Only the encrypted result, salt and IV are sent to Authy.The encryption/decryption key is never transmitted.

Lastly, I just want to re-iterate that all encryption and later decryption happens inside your phone.

If you have any questions please contact us at [email protected] We’ll update this post as new questions/issues arise.