Hacker News new | ask | show | jobs
by scottmp10 4928 days ago
No they don't need the encryption key just like you don't if you get a new phone. They just need to know your password, send it to Authy, and Authy will decrypt the backup and send it to them.

Edit: I can't reply to the comments on this but they contain the exact procedure an attacker would have to go through, which, if correct, is much more difficult than just knowing the password.
1 comments
danielpal 4928 days ago
That's not at all how backups work. In order for a hacker to download the and decrypt the account they would need to:

1. Access to your e-mail to click a link confirming you changed your cellphone.

2. Access to your phone # to be able to get the SMS message with the registration key.

3. The encryption key you used.

If they can do all 3 they would get access to your account. If you feel that the level of security there is not good enough for you, you can disable the backups and key will never ever leave your phone

link
X-Istence 4928 days ago
I like how there is a nice catch-22 there ... I may need access to my OTP to gain access to 1, yet I need access to 1 to get access to my OTP.
link