
Ask HN: Do you believe that Authy cloud backups are secure? - Fej
Authy looks like a neat service, and their blog post about the security of backed-up TOTP keys is promising, but obviously no one can independently audit the code.<p>Could anyone else weigh in on the security of this product, if there&#x27;s any public information? Have there been any serious breaches or exploits?
======
twunde
Many security-conscious product companies go through an independent audit of
their security processes to become certified. This doesn't necessarily mean
that the code is secure, but it does mean that the company/product follows
procedures and policies designed to ensure that the company and its products
are secure, such as going through an annual penetration test. According to
their website Authy is SOC2 compliant, so you should be able to ask them for
their report (you typically have to sign a NDA). Importantly, you should read
the report, ESPECIALLY the exceptions. It should give you a good feel for
their security model and security defenses.

~~~
Fej
That's interesting. You think they'd let a CS student look it over?

~~~
twunde
As long as you're considering buying it and are willing to sign a NDA. Twilio
also has a generic white paper that's available without scheduling a demo,
which may be more accessible. If you're having trouble with Twilio/Authy
giving you permission to view the SOC2, you should reach out to one of the
evangelists.

------
ehPReth
I haven't looked in to it past being an Authy user but when restoring from
backup I was a bit miffed that the service (Google, GitHub, Other, etc) and
the comment (e.g. username, email) were able to be seen without inputting my
backup password.

------
DarkByte
I ask myself the same question and I always stop at thinking that its just the
2FA tokens and not the actual passwords.

------
abrands
I would agree

