How Authy 2FA Backups Work

Authy offers a backup feature for its two-factor authentication (2FA) tokens, which is an opt-in service that encrypts the accounts before uploading them to the cloud. The password used for encryption is not stored anywhere in their cloud service and must be remembered by the user. Backups are executed through several steps, including salting and running the password through a key derivation function called PBKDF2, using a secure hash algorithm, and encrypting each authenticator key with AES-256 in CBC mode along with a different initialization vector for each account. Restoring Authy keys involves confirming ownership of the original account, receiving a OneCode notification on another device, syncing keys, and providing the backup password to decrypt the keys.