SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Security Alert: New Device Added

Authy users may receive a “Security Alert” notification email when adding a new device to an Authy account. The alert email includes the device name and location to help you identify it as an approved device. 

If you did not add this device to your Authy account

Your account may have been compromised. We recommend you take the following steps immediately:

Step 1: Remove the new device from your account.

  1. Access Settings in the Authy app.
  2. Navigate to the Devices tab.
  3. Select the new device to see its information.
  4. Select the option to remove this device.
     
    For a full walkthrough, see Remove a Device from your Authy Account.

Step 2: Disable multi-device in the Authy app.

  1. Access Settings in the Authy app.
  2. Navigate to the Devices tab.
  3. Uncheck or switch the Multi-device toggle to turn this feature off.
     
    For a full walkthrough, see Enable or Disable Authy Multi-Device.

Step 3: Change your Authy backups password.

  1. Access Settings in the Authy app.
  2. Navigate to the Accounts tab.
  3. Select the Change password option, and then follow the prompts to update your backups password.
    Note: Authy never stores backups passwords for your security, so make sure you write it down somewhere safe, and/or use a password only you know.
     
    For a full walkthrough, see Changing the Authy Backups Password.

Notice: If you cannot access your Authy account, and are unable to perform the steps above, we recommend you immediately contact Authy support. One of our specialists will respond to your request, and work with you to get your Authy account back up and running again.

If you were the one who added the device

No further action is required.

How could someone else have added my Authy account to their device?

In order to add an Authy account to a new device, a person needs to pass through a login verification process in the Authy app, including (but not limited to) verifying possession of the phone number registered for the account (see this article for details). Therefore, it is very important that you don’t let anyone have access to messages sent to that phone number.

Backups password provides additional security: When Backups are enabled in Authy, if someone adds your Authy account to their device, the would need to correctly enter the backups password you set when turning this feature on. Otherwise, they would be unable to decrypt or view the sensitive codes generated by the synced authenticator tokens you have previously backed up.

Recycled phone number scenario: Any time you change your phone number, your old phone number can eventually be "recycled" by your phone carrier, and assigned to another user. If you don't update your Authy account with your new number via our phone change process, then your Authy account will continue to be tied to the old phone number. In rare cases, a user that gets assigned your old recycled phone number by the carrier could successfully add your Authy account to their device.

In this situation, you would receive a New Device Added email to the address registered with your account, showing a portion of the old registered phone number. If you think this is what happened to your account, take the following actions immediately:

  • Initiate the phone change process immediately to update the registration of your Authy account to your new phone number.
  • Contact our Support team with the details of what you think happened so that they are aware and can provide further guidance.

Once the phone change process successfully completes, the other person will no longer have access to your Authy account or the tokens associated with it. If the other person has added additional tokens to your Authy account in the meantime, then those may appear as well, but please delete them.

Have more questions? Submit a request
Powered by Zendesk