Authy Blog

  • Home
  • Website
  • @authy
  • Contact us
  • September 4, 2013

    How the Authy Two-Factor backups work


    Yesterday Google Authenticator released an update for their iPhone App that wiped users keys when installed. That prompted a lot of users to switch to Authy and use our key backup feature. Immediately some people started raising concerns about our backup feature - but unfortunately most of what their saying is false or incorrect. We want to make sure everyone knows the the real facts.

    First and most importantly: backups are optional and are off by default.

    If you do not enable them, your accounts will only be stored inside your phone (just like all other apps do). So saying that you have to send us your keys to use Authy is completely incorrect. You might not like backups, but there are thousands of users who do. If you don't, simply keep them off.

    Second: backups are encrypted before uploading them to the server and we do not have the decryption key

    Most of what it's said about how we handle encryption is entirely wrong. I'd like to describe exactly how we do it. To make backups compatible across devices both the iOS and Android app use the same method for encryption/decryption.

    How the Authy key backups work.

    Backups are done in several steps. I'll try to be as descriptive as possible to avoid any confusion or misinterpretation.

    1. We ask you to enter a password. The password has to be greater than 6 characters and we recommend at least 8.

    2. Your password is then salted and ran through a key derivation function called PBKDF2. The details of how this is done are quite important:

      • We use SHA-256 which is slower than SHA-128. (slow is good here).
      • We use 1000 rounds. This number will increase as the low range Android phones processor power increases.
      • We salt the password before starting the 1000 rounds.
      • The salt is generated using a secure random.
    3. Using the derived key, each authenticator key is encrypted with AES-256 in CBC mode along with a different IV for each account.

      • Some Authenticator keys are unfortunately 128 bits or less. In such cases we pad them using PKCS#5.
    4. Only the encrypted result, salt and IV are sent to Authy.The encryption/decryption key is never transmitted.

    Lastly I just want to re-iterate that all encryption and later decryption happens inside your phone.

    If you have any questions please contact us at [email protected] We'll update this post as new questions/issues arise.