How Authy uses your personal and device data

January 25, 2019
Written by
Authy
Twilion

Person using a laptop while holding a smartphone displaying a two-factor authentication code

How Authy uses your personal and device data

If you’ve been paying attention to current headlines, you’ve likely heard about privacy, data sharing, and businesses tracking people via online apps, social networks, and wireless providers. Occasionally we’ll see comments on Twitter that Authy, according to our privacy notice, shares data with third parties. This blog post was written to clarify precisely what we do and do not do with information collected as a result of using the Authy app.

How & Why Data Is Collected & Used

To understand how and why we collect data about users and their devices, let’s look at how the Authy app works. The most common feature enables you to save your Google Authenticator tokens, encrypt them, back them up in our secure cloud service, and then access them via the Authy app on multiple devices. If you only ever use Authy for this purpose, none of your data (device information, IP address, phone number or email) is shared outside of Twilio.

The Authy app is also used in combination with the Authy API, a Twilio cloud service that allows businesses to implement two-factor authentication to protect their customers. We build and distribute the Authy app for free so that API customers — companies like Twitch, Pinterest, Transferwise, Uphold, and Gemini, among others — don’t need to develop their own 2FA apps.

It’s in this scenario, when the Authy app is used in conjunction with the Authy API, some user data is beneficial to the businesses trying to protect your account. Advanced authentication systems leverage a number of signals (e.g., device type, wireless carrier, and IP address) to ensure that incoming authentication attempts are actually coming from legitimate users. For instance, you might create your account on a web browser on a Mac from an IP address associated with AT&T internet services then use the Authy app coming from the same wifi network address on an iPhone. A request then coming from an Android device in China would be flagged as suspicious. The more an application knows about legit users as they log in, the better the protection it can provide. This is especially important with so many illegitimate parties using increasingly inventive approaches to take over online accounts.

Protecting Accounts

Because of this need to protect accounts, we provide data as part of our service to better protect our customers’ users. Information on what we share and how it’s used is detailed in our API documentation. For very high-risk businesses such as financial institutions or cryptocurrency platforms, we also share IP address and more detailed data on the device to help them best protect financial transactions. The decision to share this extra data is made on a per customer basis, and we evaluate the legitimacy of each customer to ensure the data is being used appropriately.

The table below shows examples of some of the data we may provide to high-risk customers, showing different data depending on how the authentication takes place. Note that the location data is based on IP and not GPS tracking.

A table comparing two-factor authentication data received via SMS, Authy Desktop on macOS, and Authy on iOS.

Staying Safe

This blog post is an attempt to be fully transparent about data sharing. We hope it sheds some light on how and why we use some of the information we know about our users: to help secure their digital lives.

As part of Twilio, we take the privacy and security of Authy users very seriously. And we comply strictly with policies like Europe’s GDPR (General Data Protection Regulation). To reiterate, no Authy data is shared with any entity who is not an Authy API customer or part of Twilio’s approved service providers. The only information that is shared is that which actually results in the increased security of user accounts.

The big picture goal of the Authy 2FA app and our two-factor authentication APIs is to better protect users online. Under no circumstances are we sharing or selling your information to other companies for marketing or advertising purposes.

Thanks for reading and stay safe.