Our great sponsors
-
google-authenticator
Discontinued Open source version of Google Authenticator (except the Android app)
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
TOTP/HOTP codes are defined by an algorithm (sha1/md5/...), secret (A826EF8...), and number of digits (I usually see 6 digit codes). TOTP additionally takes time as a parameter (ex: it changes every 30 seconds) and HOTP takes a counter as a parameter. All of these parameters go into the function to generate the numbers as a result.
If you have ever set one of these up with a QR code, that QR scans to something like: otpauth://totp/ACME%20Co:[email protected]?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30 (From: https://github.com/google/google-authenticator/wiki/Key-Uri-...)
So to directly answer your question: a backup would in some way contain all the parameters above, possibly in that otpauth:// format, but could be json or something else.
I would not consider Authy to be a trustworthy backup. I assume they are storing these secrets for you and transferring them to other computers at your request. If you can't see the secret, you can't switch to a different app. (Take this last paragraph with a grain of salt, I don't know much about authy but it sounds like trouble. I use FreeOTP and other open source OTP apps).
On Android you can use Aegis Authenticator[1], which allows an encrypted export of the private keys.
[1]: https://getaegis.app/