Glossary>Authy

Authy

A cloud-backed TOTP mobile app for two-factor authentication with multi-device sync capabilities.

Multi-device sync for CIAM deploymentsCloud backup for seamless user onboardingPush notification support for passwordless flows

What is Authy?

Authy is a mobile application (acquired by Twilio in 2015) that generates TOTP (Time-Based One-Time Passwords) for two-factor authentication, providing a critical second layer of security for CIAM implementations.

From a technical standpoint, Authy implements RFC 6238 (TOTP standard) but extends it with proprietary cloud synchronization features that differentiate it from standard authenticator apps.

Key technical characteristics:

  • TOTP Generation: 6-digit codes generated using HMAC-SHA1 with 30-second time steps
  • Cloud Backup: Encrypted TOTP secrets stored on Twilio infrastructure using AES-256 encryption
  • Multi-Device Architecture: Uses device registration API to sync tokens across multiple endpoints
  • Push Authentication: Implements Twilio Verify API for push-based approval flows (beyond standard TOTP)
  • SDK Integration: Provides client libraries for iOS, Android, and Desktop platforms

In CIAM architectures, Authy serves as a software-based second factor that bridges the gap between SMS (insecure) and FIDO2 hardware keys (higher friction). It's particularly valuable for consumer-facing applications where user experience matters but security requirements demand stronger authentication than passwords alone.

Security consideration: Unlike FIDO2/WebAuthn, TOTP codes can be phished. Authy mitigates this partially through push notifications (which verify origin), but the TOTP generation itself remains vulnerable to real-time phishing attacks.

Analogy

Think of Authy like a digital keychain that stays with you even if you lose your keys - it backs up your 2FA codes to the cloud so you never get locked out.

Types and Use Cases

Types of Authy Implementations in CIAM:

  • Consumer Authy TOTP: End-users install Authy app and scan QR codes during MFA enrollment (standard RFC 6238)
  • Authy Push (Twilio Verify): Service providers integrate Twilio Verify SDK to send push notifications instead of TOTP codes
  • Authy API Integration: Developers use Twilio Authy API to programmatically manage TOTP tokens, backups, and device registration

CIAM Use Cases:

  • Consumer 2FA Enforcement: E-commerce and SaaS platforms require Authy (or any TOTP app) for high-value transactions or account recovery
  • Enterprise B2B CIAM: Employees use Authy for accessing partner portals, vendor dashboards, and internal tools with MFA enforcement
  • Fallback Authentication: Authy serves as backup MFA method when primary FIDO2 keys are unavailable
  • Compliance Requirements: Financial services use Authy to meet PSD2/SCA requirements for strong customer authentication (SCA)
  • User Migration: Organizations migrating from SMS OTP to app-based MFA use Authy as low-friction transition tool

How it Works

1
User initiates MFA enrollment in CIAM platform, which generates a TOTP secret and displays QR code (URI encoded per otpauth:// protocol)
2
User scans QR code with Authy app, which imports the secret, computes HMAC-SHA1 with current time-step, and displays 6-digit TOTP code
3
During login, user enters TOTP from Authy app; CIAM backend validates by recomputing HMAC-SHA1 server-side and comparing within permitted time drift window
terminal
{
  "auth_flow": "totp_verification",
  "user_id": "usr_8f3a2b1c9d",
  "totp_submission": {
    "code": "123456",
    "timestamp": "2026-05-06T14:32:15Z",
    "time_step": 51234567
  },
  "server_validation": {
    "computed_codes": ["123456", "123457", "123455"],
    "time_drift_window": "±1 step (90 seconds)",
    "result": "valid"
  },
  "authy_metadata": {
    "device_id": "auth_12345",
    "backup_enabled": true,
    "multi_device": true
  }
}

Authy vs Google Authenticator

Authy
Google Authenticator

Cloud Backup: Authy encrypts and stores TOTP secrets in Twilio cloud (recoverable if device lost)

Google Authenticator stores secrets only on-device (permanent loss if device lost)

Multi-Device Sync: Authy allows simultaneous use on phone + tablet with automatic sync

Google Authenticator is single-device only (no sync)

Push Notifications: Authy supports Twilio Verify push approvals (some services)

Google Authenticator is TOTP-only with no push capability

Privacy Trade-off: Authy transmits encrypted secrets to Twilio servers (privacy concern for enterprise)

Google Authenticator keeps all secrets local to device

API Access: Authy provides developer APIs for programmatic TOTP management

Google Authenticator has no public API for integration

Best Practices for Authy

CIAM Best Practices for Authy Integration:

  • Prefer FIDO2 for high-security scenarios: Authy (TOTP) is phishing-prone - use YubiKey/WebAuthn for admin accounts, executives, and high-value transactions
  • Implement fallback channels: Always provide SMS/email OTP as backup MFA method in case user loses device and hasn't enabled cloud backup
  • Educate users on backup setup: During MFA enrollment, explicitly prompt users to enable Authy cloud backup BEFORE they leave the setup flow
  • Monitor for anomalous TOTP usage: Track time-drift patterns and rapid successive failures to detect potential phishing or replay attacks
  • Consider compliance implications: For HIPAA/GDPR, evaluate if storing TOTP secrets in Twilio cloud meets your data residency and privacy requirements

How LoginRadius Powers Authy

LoginRadius CIAM platform provides comprehensive support for Authy through standard TOTP (RFC 6238) integration, enabling seamless MFA enrollment and validation for consumer and B2B identity scenarios.

Core Integration Capabilities:

  • TOTP Enrollment: LoginRadius generates TOTP secrets and displays QR codes that users scan with Authy app during self-service MFA setup
  • Real-Time Validation: Server-side TOTP verification with configurable time-drift windows (±1-2 steps) to handle clock skew between devices
  • MFA Policies: Administrators can enforce TOTP (Authy) for specific user segments, high-risk login attempts, or regulated industries requiring strong authentication
  • Fallback Methods: LoginRadius provides SMS OTP, email OTP, and security questions as backup authentication when users cannot access their Authy app

Advanced CIAM Features:

  • Step-Up Authentication: Trigger Authy TOTP requirement for sensitive operations (password change, payment authorization, administrative actions)
  • Multi-Tenant Support: B2B CIAM deployments can enforce Authy MFA per tenant with custom policies and branding
  • Audit & Compliance: All TOTP verification events are logged with timestamps, device fingerprints, and IP geolocation for compliance reporting (SOC 2, ISO 27001)

Recommendation: While LoginRadius fully supports Authy for TOTP-based MFA, we recommend implementing FIDO2/WebAuthn (YubiKey, FaceID, Windows Hello) as the primary MFA method for phishing resistance, with Authy as a user-friendly fallback option for broader adoption.

Resources

Documentation

View Security Docs

FAQs

  • Backup & Recovery: Authy provides cloud backup with encrypted secret storage on Twilio infrastructure - users can restore TOTP tokens on new devices; Google Authenticator has no backup (losing device means re-enrolling everywhere)
  • Multi-Device Support: Authy syncs TOTP tokens across multiple devices simultaneously (phone + tablet); Google Authenticator is restricted to single device
  • Integration Options: Authy offers developer APIs and push notification support via Twilio Verify; Google Authenticator is a closed system with no programmatic integration options
  • Enterprise CIAM Impact: Authy reduces support tickets for lost-device MFA recovery but introduces third-party dependency on Twilio; Google Authenticator has higher friction for users but zero external dependencies
  • Phishing Vulnerability: Authy generates TOTP codes that users can be tricked into entering on phishing sites (unlike FIDO2 which binds to origin) - consider this for privilege escalation scenarios
  • Cloud Storage Risk: TOTP secrets are encrypted with AES-256 and stored on Twilio servers - evaluate if this meets your data residency requirements (GDPR, HIPAA, SOC 2)
  • Better Than SMS: Authy is significantly more secure than SMS OTP (no SIM swapping possible) but less secure than FIDO2 hardware keys
  • Compliance Position: Authy can support PSD2/SCA requirements for strong customer authentication but document the Twilio dependency in your compliance audits
  • Standard TOTP Flow: LoginRadius generates TOTP secrets and QR codes per RFC 6238 - users scan with Authy app during MFA enrollment (same flow as Google Authenticator)
  • Validation: During login, users enter 6-digit TOTP from Authy; LoginRadius validates server-side using shared secret and time-step calculation
  • MFA Policies: Configure LoginRadius MFA rules to require TOTP for specific user groups, IP ranges, or high-risk actions
  • Fallback Strategy: Set up SMS/email OTP as backup methods in LoginRadius when users cannot access Authy (lost device, no backup enabled)
  • Migration Path: For strongest security, use LoginRadius's FIDO2/WebAuthn support (YubiKey, FaceID) as primary MFA, with Authy as fallback option

Related Terms

google authenticatormfa multifactor authenticationoauth

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales