Passwords are not stored by default, if you do, you will need an encryption password.
Backups are encrypted before uploading
Let’s set the record straight on how we approach encryption. For your convenience, Authy can store an encrypted copy of your Authenticator accounts in the cloud. The account is encrypted/decrypted inside your phone, so neither Authy nor anyone affiliated with Authy can access your accounts.
How Authy Key Backups Work:
Backups are performed in several steps:
We ask you to enter the password. Passwords should be 6 characters long, although we recommend that you aim for at least 8 characters.
Your password is then salted out and run through a key derivation function called PBKDF2, which stands for Password Based Key Derivation Function 2. PBKDF2 is a key extension algorithm used to hash passwords in such a way that brute force attacks are less effective. The details of how to do this are very important:
We use a secure hash algorithm which is one of the most powerful hash functions available. It is a one-way function – it cannot be decoded again and it is one of the most powerful hash functions available.
We use 1,000 rounds. This number will increase as the processor power of a low-range Android phone increases.
We salt the password before starting 1000 rounds.
The salt is generated using a safe random value.
With the derived key, each authenticated key is encrypted using the Advanced Encryption Standard AES-256, in cipher block sequence (CBC) mode along with a different initialization vector (IV) for each account. To make each message unique, an IV must be used in the first block.
If any of the authentication keys are 128 bits or less, we install them using PKCS#5.
Only the encoded result, the salt, and the fourth are sent to Authy. The encryption/decryption key is never sent.
[Reactie gewijzigd door DRaakje op 11 augustus 2022 10:05]
“Coffee buff. Twitter fanatic. Tv practitioner. Social media advocate. Pop culture ninja.”