I use FreeOTP and other open source OTP apps). (Take this last paragraph with a grain of salt, I don't know much about authy but it sounds like trouble. If you can't see the secret, you can't switch to a different app. I assume they are storing these secrets for you and transferring them to other computers at your request. I would not consider Authy to be a trustworthy backup. So to directly answer your question: a backup would in some way contain all the parameters above, possibly in that otpauth:// format, but could be json or something else. If you have ever set one of these up with a QR code, that QR scans to something like: otpauth://totp/ACME%20Co: ?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30 (From. When logging into a website, your device generates a unique code based on the shared secret and the current time. This secret must be shared online between you and the provider. All of these parameters go into the function to generate the numbers as a result. Time-based One-time Password (TOTP), popularized mainly by Google Authenticator, verifies your identity based on a shared secret.
TOTP additionally takes time as a parameter (ex: it changes every 30 seconds) and HOTP takes a counter as a parameter. The code is generated using HMAC (sharedSecret, timestamp), where the timestamp changes every 30 seconds. To authenticate using TOTP (time-based one-time password) the user enters a 6-8 digit code that changes every 30 seconds.
TOTP/HOTP codes are defined by an algorithm (sha1/md5/.), secret (A826EF8.), and number of digits (I usually see 6 digit codes). OATH is an organization that specifies two open authentication standards: TOTP and HOTP.
