Aviso: Este artigo também está disponível em português.
A Backup Password ensures that you always have secure access to your 2FA account tokens no matter if you lose access to your devices, your Authy app, or your Authy account.
- If a user enables the Backup Password setting in their app, they are prompted to create a Backup Password that encrypts their existing 2FA account tokens.
- These encrypted tokens are stored on Twilio Authy servers.
- The Backup Password is securely stored on the user’s local device, and never sent to Twilio Authy servers. We recommend that users either memorize a strong Backup Password, or write it down immediately after creating it to store it in a safe place.
When backups are disabled, newly added tokens won't be uploaded to the Authy server. However, the keys that were already uploaded will remain, and will be synchronized on other devices logged in with your account.
What are the benefits of using a Backup Password?
A Backup Password is useful if you want to encrypt your 2FA account tokens and
- access all of your tokens on an Authy app on another device later.
- store them on the cloud on Twilio Authy servers.
The Backups Password is what allows you to decrypt your 2FA tokens onto another registered device.
Notice: If you plan to use the Authy app on more than one device to synchronize your 2FA account tokens, please also familiarize yourself with the multi-device feature and how it is used.
What if I lost my Backup Password? How do I recover it?
If you lose your Backup Password, you will not be able to decrypt your 2FA tokens from Twilio Authy servers and access them within the Authy app on any other device (Eg: If you bought a new phone to replace an old or lost device). If you still have access to the original device on which you set up the Authy app with your 2FA account tokens for the first time, you can follow these steps to re-configure your Authy app on a new device.
Notice: Since the Backup Password is never sent to Twilio Authy or stored in our servers, we are unable to recover your password.
Can I reset my Backup Password?
Yes, it is possible to reset your Backup Password by tapping on Change Password in the Backup Password area of the Settings menu within the Authy app. You will have to ensure all 2FA account tokens are decrypted on your device (No red lock icons). Once a user resets their Backup Password on a device, all other devices with the Authy app for this user’s Authy account will require entering this new Backup Password.
Can I use my Backup Password on other devices?
Yes, once a Backup Password is created, it can be used on any other device tied to the same account the user has an Authy app installed for. Twilio does not store a user’s Backup Password on Twilio Authy servers. But, if a user enters their Backup Password on any other device, it decrypts their 2FA account tokens onto that specific instance of the Authy app. Note: toggling the Backup Password within the Authy app on one device won’t update this setting on another device on which you use the Authy app linked to the same Authy ID.
I see a red lock icon for my 2FA account token. What should I do?
The red lock icon denotes an encrypted token that is backed up to our Twilio Authy servers. As a security measure, we require users to decrypt any 2FA account tokens on their new device before a user can use these 2FA account tokens or add any additional 2FA accounts tokens to their account.
Does Twilio store my Backup Password?
No, Twilio does not store or pass a user’s Backup Password to Twilio Authy servers. The Backup Password is stored as local data on your device, and gets deleted with a clean uninstall of the Authy app.
I disabled my Backup Password, but tokens keep syncing. What's going on?
Authy apps have an automatic syncing function that can’t be disabled. This functionality brings the following updates from the Authy servers:
- Newly added 2FA account tokens (synched from another device with backups enabled)
- 2FA account tokens set to be removed
- Selected logos (if supported, more info here)
- Name changes (synched from an Authy service changing their token name, or a user manually changing a token's name on another synched device)
If at some point you enabled backups, and your encrypted 2FA account tokens were uploaded to our servers, these tokens will automatically sync with any new configured devices on your Authy account.
How can I delete my encrypted tokens from Twilio Authy servers?
It isn’t possible to delete the 2FA account tokens only from Twilio Authy servers. You can, however, delete the token manually from the Authy app on your device. This action removes the synchronized encrypted token from our servers (even if the Backup Password is disabled), and any other synchronized devices on your account.
Once you delete the 2FA account tokens, you can disable your Backup Password and add new tokens. These new tokens won't be uploaded to our servers unless you enable your Backup Password again.
How do you derive encryption keys from a Backup Password?
We use the National Institute of Standards and Technology (NIST) recommended algorithm PBKDF2.
What does Authy recommend for creating a Backup Password?
In general, we recommend Authy app users choose high entropy passwords, or those that lack order and predictability. The easiest way to generate a secure password would be to use password managers, or a passphrase generator like the one found here: https://www.rempe.us/diceware/#eff.
Does Authy know what 2FA account tokens I've added?
Only if you enabled a Backup Password can we know what 2FA accounts you have added:
- For accounts added by a scanned QR code, the Authy app uploads the QR code. QR 2FA account sites/providers are free to decide what data is in the QR code, but typically this consists of the site name and the user name or email address.
- For accounts manually added, the Authy app only uploads the logo, which can be manually changed by the user in-app.
A user could add all tokens manually (without using QR codes), to avoid sharing any information the QR code might add.
Do I need ‘Multi-device’ enabled in order to set up my Backup Password?
Multi-Device allows you to set up multiple trusted devices to use the same Authy account. While Backup Password lets you access all of your tokens on those multiple trusted devices. This means that both features while independent of each other are necessary to sync your tokens across devices appropriately.
Let’s take an example:
Mary has the same phone number she uses to access the Authy app on her iPhone as well as on her Windows laptop. Mary has enabled the Multi-device functionality on both devices. Her Backup Password is enabled on her iPhone but not on her Windows laptop.
Now if Mary accesses the Authy app on her Windows laptop (the one with the Backup Password disabled), will all her 2FA account tokens get synchronized to Twilio Authy servers (due to Multi-device being enabled)?
The answer to this depends on the type of 2FA account token. Since the Authy token is a Twilio Authy standard and is a token that is directly added by a developer service into Mary’s Authy app, this type of 2FA account token will sync to Twilio Authy servers and will be available on both devices.
The Authenticator 2FA account tokens, that are based on the Key URI format, however, will not all sync to Twilio Authy servers. In the case of the latter, only those 2FA account tokens that were synchronized before disabling the Backup Password would get stored on Twilio Authy servers and appear on both devices.
Will enabling/disabling the Backup Password apply to my other devices on which I have the Authy app installed?
No. Toggling the Backup Password will only affect the said device and no other devices that may have previously been connected if/when Multi-device functionality was enabled. This is due to the fact that the Backup Password is never sent to Twilio Authy servers.