Authy - is my backup secured by only my password or 2FA s well

I'm a Solutions Architect with Authy and am happy to clarify this issue for you.

As you noted, we do require a password to encrypt and store your 'backup keys'.

We also have an opt-in feature which allows for the syncing of these keys across multiple devices (iPhone, Android, Chrome Extension). When you add a second device, you need to provide the first phone number to get access to those keys. At this point, you can choose either an SMS/Voice or "Use Existing Device" (your initial phone) notification for accessing your Authy account.

If you choose SMS or Voice, your initially registered phone number will get a notification with a token to gain access to the Authy account.
Adding via SMS

If you choose to 'Use Existing Device', you'll receive the following prompt on your initially registered device as seen here:

Approved or Deny new device

Once you've added a device, you can always see (and remove) devices that are associated with your account from any device.

To answer your question, before an attacker can sync keys down to an additional device, they will have to have approved the addition of another device via a token or the "Use Existing Device" feature on your initially registered device. If they are able to provide this approval, then they already have access to your primary phone... which is not ideal.

I hope this clears everything up for you.

Cheers! - Josh @ Authy

tl;dr Even with your password, this attack vector still requires user-approval from your initially registered phone number.

stl;dr Your Authy ID is tightly coupled with the phone number initially used during registration. Having the "B4dpassw0rd" will not help the attacker.


Without requiring any access to a user's phone, a hacker could use the SMS/Voice option & exploit the vulnerabilities documented in the Signaling System 7 (SS7) protocol to intercept a token. They could also use an IMSI catcher to eavesdrop on tokens in transit. This isn't unique to Authy, since no 2FA system that relies on SMS has mechanisms to prevent this.

Tags:

Multi Factor

Related

Why don't web email clients put emails in an iframe? My email is listed as recovery email for an unknown Google account How is attacking WPA different from attacking WPA2? Couldn't credit/debit cards easily be made more secure? Why do mobile devices force user to type password after reboot? Does Rainbow Table Not Require Decompression? How to test CVE-2004-0789 Multiple Vendor DNS Response Flooding Denial Of Service? What kind of attack is prevented by Apache2's error code AH02032 ("Hostname provided via SNI and hostname provided via HTTP are different")? Chrome: Your connection is private but someone might be able to change the look of the page This Program Can not Be Run in DOS Mode Why does Microsoft use a digital signature catalog instead of a signature in the executable? Can a DDoS attack yield any information?

Recent Posts