Authy Review

Authy has been a powerhouse in the authenticator market for many years, even before its acquisition by Twilio in 2015. However, high-profile security incidents affecting Authy customers have made headlines in recent years. It’s unfortunate, because Authy’s user interface looks great and the app functioned well during recent tests. That said, Authy requires account creation via a phone number, which is not ideal. Its inability to export or import tokens makes switching from a different authenticator app very inconvenient, too. I recommend choosing apps that collect minimal data and don’t require an account to work, like 2FAS or Aegis Authenticator, both Editors’ Choice winners for authentication.

Security Incidents at Twilio

In July 2024, Twilio announced that “threat actors” had acquired more than 33 million Authy customers’ phone numbers. This comes two years after a different security incident compromised Authy customers.

I contacted Authy for a response to the most recent security incident. A spokesperson stated, “The security of our products and our customers’ data is of paramount importance. We saw no evidence that the threat actors breached Twilio’s systems or obtained sensitive internal data, but as a precaution requested all Authy users to update their apps for the latest security updates.”

Since 1982, PCMag has tested and rated thousands of products to help you make better buying decisions. See how we test.

You should use any authenticator app with caution. Anyone with access to your tokens may be able to access your accounts. With this in mind, Authy’s repeat security incidents negatively affect the review score.

Getting Started With Authy

Getting started with Authy

(Credit: Twilio/PCMag)

Authy is available for Android and iOS devices. I tested the Authy app using a Samsung Galaxy A71 5G. Screenshots are disabled by default and cannot be enabled on an Android device, so the screenshots in this review are from an iPhone.

Signup Requirements

To use multi-factor authentication (MFA) with a service that supports it, you only need a simple token generator. Therefore, I don’t think you should have to hand over an email address, a phone number, or any other personal information to use an authenticator app.

Authy needs a phone number to work on your mobile device. Luckily, it does not have to be your phone number. Instead, you can enter a fake phone number created using a service like Google Voice, and the app will still work. To compare, 2FAS and Aegis Authenticator do not require any information or account creation to function.

You can register the app with the same account across multiple devices, though Authy doesn’t offer multi-device registration by default for security reasons. You’ll need to enable it in the Settings menu. I tested this capability using an Android and an iPhone and was able to use the app seamlessly.

Data Collection Policies

Authy's data collection report on iOS

(Credit: Twilio/PCMag)

Some authenticator apps collect more data than others, especially given their highly specific functionality. According to the Google Play Store, the Authy app for Android may collect your email address, location data, and phone number. To compare, Google’s Authenticator app collects data from at least eight categories, including your phone’s Contact list, the photos and videos on your device, plus your phone number and physical address. Of the apps I’ve tested, 2FAS and Aegis Authenticator collect the least customer data.

Hands On With Authy

Hands on with Authy

(Credit: Twilio/PCMag)

Authy’s apps for Android and iOS feature spartan yet sleek user interfaces, with each website token’s associated logo prominently displayed. There are two ways to view your tokens. If you choose the list view, each will be displayed on the dashboard screen. If you choose the grid view, only one token is displayed at a time. You can lock the app using either a PIN or biometrics. For example, on iOS, you can use FaceID to open Authy.

Authy's 2FA guides

(Credit:Twilio/PCMag)

Hunting for a website or other online platform’s MFA section in the Settings menu can be painful. Thankfully, Authy takes some of the work out of setting up MFA for your accounts by providing written instructions with screenshots for at least 30 platforms and websites, including Cloudflare, Discord, Epic Games, Grammarly, and Snapchat.

To add a code to your token list, scan a QR code or enter a code manually to register the app for MFA on your preferred website. I registered new social media accounts using Authy without any problems. To use Authy while logging in, enter the six-digit code shown on the app dashboard.

Unlike 2FAS, Authy does not allow you to import tokens from competing authenticator apps. This makes switching from a different authenticator app to Authy pretty difficult.

Here’s how to switch from your old authenticator app to Authy:

Sign in to your online accounts.
Disable MFA for each platform or website.
Re-enable MFA.
Scan the associated QR code for every entry.

If you have MFA codes for all of your online accounts, switching away from Authy will be inconvenient and time-consuming. You also risk locking yourself out of an account if you forget to switch everything in your vault to Authy and delete the old authenticator app. Authy doesn’t allow you to export your authentication codes either, so it’s as difficult to leave the app as it is to switch to it.

Backing Up Account Info With Authy

Backing up tokens with Authy

(Credit: Twilio/PCMag)

Once you’re all set up, create a backup key to encrypt your tokens. Backing up your tokens is optional. According to a post on Authy’s blog, your files are encrypted on your device and then sent to Authy’s cloud storage. In the future, I’d like to see an option to back up data to my own secure online storage or online storage that Twilio doesn’t control. 2FAS allows backing up to both iCloud and and Google Drive.

Verdict: Authy Works Well, But Security Concerns Persist

There’s plenty to like about Authy. The app’s user interface is very well designed, and I was impressed with its detailed guides for new users. That said, there’s still room for improvement. Allowing you to use the app without creating an account would be a good start, and I’d like to be able to export or import tokens from other apps. As mentioned, Authy will rebuild its reputation over time, but a few recent, notable security incidents make me wary of totally trusting the app with my authentication tokens. Editors’ Choice winners 2FAS and Aegis are open-source alternatives that do not require account creation or your phone number to work, and both make importing and exporting easy.

Cons

Recent data breaches raise security questions
Requires account creation to use
Phone number needed to sign up
No exporting or importing functions

The Bottom Line

Authy’s user interface makes the authentication app exceptionally easy to use, but hackers have found it easy to breach in recent years.

Like What You’re Reading?

This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.

Newsletter Pointer

About Kim Key

Senior Security Analyst

I review privacy tools like hardware security keys, password managers, private messaging apps and ad-blocking software. I also report on online scams and offer advice to families and individuals about staying safe on the internet. Before joining PCMag, I wrote about tech and video games for CNN, Fanbyte, Mashable, The New York Times, and TechRadar. I also worked at CNN International, where I did field producing and reporting on sports that are popular with worldwide audiences.

Read Kim’s full bio