Migration guide

How to Migrate from Authy in 2026: The Step-by-Step Guide

Published April 22, 2026. Works whether or not you use Fob.

Authy does not have an export button. That is not a bug. That is the policy. If you are reading this, you have already tried to find one and come up empty.

This guide is the honest way out. It works whether you end up on Fob, Aegis, Bitwarden Authenticator, or somewhere else. The steps are the same. The order matters. We will be clear about what is painful and what is not.

Who this is for: anyone who signed up for Authy because of the multi-device sync, then watched Twilio kill the desktop app in August 2024, and has been stuck with 20, 40, or 80 accounts and no clean way to leave.

What changed with Authy

In August 2024, Twilio shut down the Authy desktop apps for Windows, macOS, and Linux. The mobile apps kept working. The desktop replacement Twilio pointed users toward was a browser extension tied to Twilio Authentication, a paid business product, not a consumer migration path.

At the same time, Authy has never shipped a user-facing export. You cannot open the app, tap a menu, and get a file with your accounts in it. Google Authenticator has this. Aegis has this. 2FAS has this. Authy does not.

The 2022 Twilio incident is the other piece of context most readers want named. An attacker harvested 33 million phone numbers tied to Authy accounts. It did not expose vault contents, but it did expose who used Authy, which was enough to drive SIM-swap attacks downstream. That is the backdrop to why a lot of users started looking for the door.

Why you can't just export your Authy accounts

The short version: Authy treats the no-export story as a feature, not a gap.

The public rationale from Twilio is that exporting 2FA seeds is a security risk. If a file with all your codes can be extracted from the app, the same file can be extracted by malware, by a stolen phone, or by anyone who gets the device unlocked once. Authy's position is that keeping seeds bound to their cloud makes you safer.

Reasonable people disagree. Apps like Aegis and 2FAS take the opposite position: it is your data, you should be able to take it somewhere else, and if you choose a bad place to put it, that is your call to make. Fob takes the same position. Your codes are yours. Export lives behind a reauth prompt, not behind a support ticket.

What this means in practice: there is no magic import. To leave Authy, you log into each service, turn off 2FA, and turn it back on with a QR code you scan in your new app. One account at a time. On every platform. For every user.

The rest of this guide is how to do that without losing access to anything.

The manual migration process

1. Pick your destination app

This guide does not care which app you pick. The migration steps are the same. A few honest notes on the good options:

• Fob (coming to Android first, iOS after). Built around tags, so a Coinbase account can live in crypto, exchange, and high-value at once. End-to-end encrypted sync, export-always, guided recovery at onboarding. This is the app we are building. We would not write a migration guide that hands you to a competitor if we did not think the product stood on its own.
• Aegis (Android only, free, open source). Excellent if you do not need sync and do not need iOS. Single-group organization, which tends to break at 20+ accounts.
• Bitwarden Authenticator (Android and iOS, free). Works well if you are already a Bitwarden user. Features are intentionally basic, which is fine for small vaults.
• 2FAS (Android and iOS). Solid free option. Browser extension is a nice touch.

Pick one. Install it before you start. Do not skip this step and start disabling 2FA on your bank while you "figure it out later."

2. Understand that export-before-disable is not an option

Users leaving Google Authenticator have it easier. That app exports accounts as a QR code you scan into the new app in a few minutes. The workflow does not exist for Authy. There is no export-first path. You do not have a file to import.

What this means: the only way a Fob wizard, an Aegis import button, or any other "migration" feature can help you is by tracking progress as you re-enroll accounts manually. It is checklist automation, not data migration. We are honest about that on our homepage and we are honest about it here.

3. Order your accounts by blast radius, not by alphabet

Do not start with the 47th thing down the list. Start with the accounts where losing access would ruin your week.

The priority order that actually works:

1. Primary email account (Gmail, iCloud Mail, Fastmail). If you lose email, you lose your recovery path for everything else. Do this one first, with a second recovery factor already set up, so you do not lock yourself out mid-migration.
2. Banking and payments. Chase, Wells Fargo, Venmo, PayPal. Small number of accounts, high cost of failure.
3. Crypto exchanges and wallets. Coinbase, Binance, Kraken, Ledger Live. These often have the most hostile 2FA-change flows, so allocate time.
4. Work identity. Okta, Google Workspace admin, AWS root, GitHub, password manager. If you are an admin on anything, do that before you sleep.
5. Everything else. Social, shopping, media, forums. Low stakes, high count. Batch these on a rainy Saturday.

A 40-account migration usually takes 90 minutes to 3 hours spread across a day or two. Not one sitting.

4. For each account: the six-step flow

On a desktop computer, ideally, with the service open in one window and your new authenticator in your hand:

1. Log into the service using your current Authy code.
2. Go to Security or Account Settings. The path varies. Look for "Two-factor authentication," "2FA," "Login security," or "Multi-factor authentication."
3. Disable 2FA. The service will usually require a current Authy code to do this. Some services require a password too. A few (see the next section) require a support ticket.
4. Immediately re-enable 2FA, this time choosing "Authenticator app" or "TOTP app."
5. Scan the new QR code with your destination app. The new app stores the secret and starts generating codes.
6. Test the new code before you leave the page. Enter the 6-digit code from your new app into the service's confirmation field. If it accepts, the account is migrated. If it does not, scan again and retest. Do not close the tab until this works.

Save the recovery codes the service offers you. Paste them into your password manager. This is the backup for the backup.

5. Keep Authy installed until the last account is confirmed

Do not uninstall Authy as you go. Authy is your fallback if a new enrollment fails, if a service locks you out, or if you hit an account with a 24-hour security freeze. Keep it on your phone until every account is confirmed working on the new app. Then, and only then, sign out and remove it.

If you use Authy on multiple devices, sign out on each device separately so the deregistration goes through.

Accounts that make this hardest

Not every service makes disabling 2FA a button click. Budget extra time for these:

• Coinbase, Binance, Kraken, and most crypto exchanges. Many impose a 24 to 48 hour "security hold" after you change 2FA methods. Withdrawals are blocked during this window. Do not start a migration the day before you need to move funds.
• Older Gmail accounts. If your Google account has 2FA via Authy as the only method, removing it may require identity verification that takes days. Add a backup method (passkey, hardware key) before you touch Authy on Google.
• Bank websites. Chase, Wells Fargo, and some credit unions require you to call support to change 2FA methods. Plan a weekday morning for this.
• Work identity providers (Okta, Duo Mobile, Microsoft Entra). If your employer controls the 2FA policy, you may not be able to change it yourself. Ticket your IT team and ask for the re-enrollment flow.
• Steam, Epic Games, PlayStation. Gaming accounts often use proprietary authenticators rather than TOTP. Check before you try: if it is not TOTP, you cannot move it to a generic app at all.
• Old accounts with dead recovery email. If the recovery address on file is an inbox you cannot access, fix that first. Migrate the recovery email account before the account that uses it.

Common migration mistakes

• Starting with the easy ones. Resist. If you burn out at account 25, you want the hard ones behind you.
• Not testing the new code before closing the tab. The service will happily accept a QR scan that failed silently. Confirm with a real code.
• Deleting Authy before every account is confirmed. You lose your fallback. Keep it until the end.
• Using a phone for the whole process. Desktop is faster. You can see two windows at once.
• Re-enrolling the same account twice. Some services allow multiple TOTP devices, some replace the old one silently. If you scan twice, verify which secret is active.
• Forgetting recovery codes. The one-time codes the service prints when you enable 2FA are your emergency access. Paste them into your password manager the same minute you see them.
• Doing this on public Wi-Fi. TOTP secrets go over TLS either way, but sensitive account changes from a coffee shop is not a habit worth building. Do this at home, on your own network.

Why we built Fob

This guide works without Fob. That is the point. If you end up on Aegis or Bitwarden Authenticator because those fit your situation better, that is a good outcome.

A few things we did differently because of the problem you just read about:

• Tags, not folders. An account is crypto and exchange and high-value at the same time. Fob lets you tag an account with every term that applies and filter by any combination. No other authenticator has this.
• Export-always. You can export your vault in an open format any time, for any reason, behind a reauth prompt. We cannot hold your codes hostage. The architecture does not allow it.
• Zero-knowledge sync. Your vault is encrypted on-device with AES-256-GCM. The key is derived from your password via Argon2id and never leaves your devices. Our servers store an encrypted blob they cannot read. The full architecture is documented at fob.codes/security.
• Guided migration. The wizard does not magically extract your Authy data. Nothing can. It tracks progress as you re-enroll, so you always know which of your 40 accounts are done and which are still waiting.

Fob is Android-first. iOS follows. If that works for you, the waitlist is on the homepage.

FAQ

Can I export Authy accounts in 2026?

No. Authy does not offer a user-facing export on any platform or any paid tier. This has been the policy since the app launched, and it is not changing. The only way to move accounts out of Authy is to re-enroll each one at the service that issued it. A few unofficial workarounds circulated in 2024 that involved a deprecated debug build of the desktop app. Twilio patched those paths out in the final desktop release.

Will I lose access to my accounts during migration?

No, if you follow the sequence in this guide. You only disable 2FA on a service after you are already logged in, and you re-enable it within seconds using the new app. You are never without a working 2FA method for more than the time it takes to scan a QR code. Keeping Authy installed until the last account is confirmed gives you a fallback if anything goes sideways.

Is it safer to migrate on Wi-Fi or cellular?

Either is fine from an encryption standpoint. TOTP enrollment happens over TLS regardless of network. The practical advice is to do it at home, on a trusted network, on a desktop, so you can focus and see two windows at once. Avoid doing bank and crypto 2FA changes from a shared or public network.

What if I no longer have the phone number tied to Authy?

This is the worst case, and it happens a lot because Authy originally bound accounts to a phone number. If the SIM tied to your Authy account is gone and you can still open the Authy app on your current device, move fast: use the app as-is to migrate every account before anything else changes. If the app has already logged you out, you will need to contact Twilio support to recover the device, which can take days and is not always successful. Change your Authy phone number inside the app before you change your carrier, not after.

How long does the full migration take?

For 20 accounts, plan 60 to 90 minutes. For 40 accounts, plan 2 to 3 hours, split across two sessions. Crypto exchanges alone can eat an hour because of security holds. Do not start this when you are tired or in a hurry.

Should I use a hardware key instead of an app?

For your most valuable accounts, yes. A hardware key (YubiKey, Titan) resists phishing in a way TOTP cannot. Most people end up using both: a hardware key on email and banking, a TOTP app for the long tail. An authenticator app is not going away.