phpauthenticationauthy

How do I find my secret Key to add my Authy Application to clients phones?


After setting up MFA, most clients have the account automatically added to their Authy app.

For others, they are trying to add the account by clicking Settings >> Add Account. It then asks them to scan a QR-Code or manually enter a key.

As the developer, I cannot for the life of me find out how to get this key or QR-Code. I have read through the docs entirely.

What am I missing? I am using the PHP SDK.


Solution

  • Authy developer evangelist here.

    With Authy, the secret key is not exposed to you, the developer, for security reasons. It is only shared with the user directly via the application, without them having to do anything, as you described. Authy, in fact, manages the keys between the app and the user more than just on the first occasion, as keys can be rotated regularly without your or the user's intervention.

    If a user is finding that they have signed up to your site but your application isn't appearing in their Authy app then a couple of things might have happened.

    This should resolve itself over time as the user will eventually get their phone back on a network. You might consider suggesting they install Authy Desktop to use their desktop computer to authorise.

    Alternatively, you could ensure they get a token and finish registering with your site by giving them the option to receive the token over SMS and forcing the token to be sent over SMS, using the force parameter when requesting a token.

    For this, again, you may want to give them the option to receive a token by SMS. Or get the user to check their Authy account settings in the application and perhaps re-enter their phone number.

    Overall, you won't get access to the secret or a QR code as that is not how Authy manages the secrets. Instead, either give the option to receive an SMS or get them to install an application on a device that has a connection.

    Let me know if that helps at all.