> 1. Authy tokens automatically sync even if you lose, change or upgrade phone.
So the tokens are stored on Authy's servers? Doesn't that defeat the purpose of two-factor? How do I (or an attacker) recover my tokens if I loose my phone?
Personally, I'd be concerned with trusting my credentials with any company unless all members of the leadership team (yes, including "nontech" people) are incredibly familiar with basic security terminology and practices.
(Note that the founder is unclear when PBKDF2 and AES are being used in the product, which is concerning, because they have very different use cases and should be hard to confuse).
So the tokens are stored on Authy's servers? Doesn't that defeat the purpose of two-factor? How do I (or an attacker) recover my tokens if I loose my phone?