Securing your Kraken account and digital life

Last updated: Aug 8, 2025

At Kraken, we prioritize and invest heavily in security. However, don't let this put your own guard down. No amount of security on our end can make up for inadequate personal security.

It is vital for clients to take advantage of the account security tools and advice that we offer and to never share access to the account with anyone else.

  1. 1

    Never allow anyone to create or manage an account on your behalf.

  2. 2

    Create a password that is long (at least 15 characters) and that is not used on any other website. We recommend using a password manager such as KeePass or 1Password.

  3. 3

    Enable Sign-in 2FA, ideally using multiple Passkeys. This is the most important security feature.

    1. Sign-in 2FA activates Step-up 2FA, an additional security layer required anytime you want to add, edit or remove any 2FA settings on your account. 
    2. Warnings
      1. A poorly stored 2FA backup code puts your account at risk of compromise. If you are worried about losing your sign-in 2FA, set up multiple Passkeys and a Master Key (see point 4).
      2. There are potential security risks with using an Authenticator App. Upgrade your security settings by enabling Passkeys.
  4. 4

    Set up a Master Key to have additional protection against password resets and as a backup for your Sign-in 2FA.

    1. If your email is ever compromised, a Master Key can prevent unwanted Kraken password resets.
    2. Make sure the Master Key is set up using a different method from your  Sign-in 2FA. For example, if you use a Hardware Security Key for Sign-in 2FA, then use a Cross-Device Passkey set up on your mobile device for the Master Key.
  5. 5

    Enable the Global Settings Lock (GSL) to prevent changes to your account settings and withdrawal addresses — even if an attacker gains access to your account.

    1. Always enable a Master Key before enabling the GSL. Kraken Support cannot speed up GSL removal.
  6. 6

    Enable 2FA for withdrawals, trading and API.

    1. Step-up 2FA or the GSL must be active in order for these 2FAs to be effective.
  7. 7

    Beware of scams.

    1. Bookmark id.kraken.com/sign-in to avoid using search engines to navigate to our site.
    2. Unlike authenticator apps, Passkeys are resistant to phishing. Enable them today.
    3. Never share your sign-in details with anyone. The Kraken Support Team will never ask for your password or to install third party software. 
    4. Verify the legitimacy of any emails claiming to be from Kraken by checking Is this email from Kraken?
  8. 8

    Only use Kraken's official apps. Third-party mobile apps using Kraken's name or asking for your Kraken credentials are forms of phishing.

If the email address associated with your Kraken account is compromised, it can be used to request your username, reset your password and approve withdrawals.

We strongly recommend setting up a dedicated email address that you only use for Kraken.

  1. 1

    Create a password using the same guidelines as for your Kraken password.

    1. Ensure it is unique and not the same password used for any other accounts you may have.
  2. 2

    Set up Two-factor Authentication for your email address, preferably with Passkeys if they are an available option. Don't use the SMS 2FA option if your email provider offers it.

  3. 3

    Remove your phone numbers from your email account.

  4. 4

    Set up PGP (for Advanced clients) to receive signed and encrypted email from us, if your email provider supports it.

For additional information, see Securing your email address.

A compromised device can log and record everything you type into it, and mobile devices are the most common way to use two-factor authentication (2FA).

  1. 1

    Enable a password/PIN on your device.

    1. Create a secure passphrase and use biometric sign-in (fingerprint, face ID), if possible. Avoid easy to guess PINs and sign-in patterns.

    Don't share your device.

    1. Don't get guilted by friends and family to share access and passwords to your devices, especially if you use those devices for your 2FA.

    Never install remote access software such as AnyDesk, TeamViewer, RemotePC or GoToMyPC.

    1. Some customer service teams will request remote access to your computer to help troubleshoot technical issues. This is very dangerous and it is also a favorite technique of scammers.
    2. Kraken Support will never ask you to install remote access software!

    Avoid public computers and/or devices. Only sign in from your personal devices.

    Avoid work devices for personal accounts. They are able to monitor and record your activity.

Mobile phone numbers have become a critical element in authentication and account recovery processes. However, they pose significant security risks, especially for handling sensitive information, including cryptocurrency.

Telecom providers often lack robust security measures, leaving users vulnerable to attacks like phone number hijacking, where attackers use social engineering to gain control over a victim's number. The consequences can include theft, extortion, and loss of access to key accounts.

To safeguard your accounts and personal data, you can think about the following:

  1. 1

    Avoid using your mobile phone number as a primary identifier or for two-factor authentication (2FA) wherever possible.

    1. Replace SMS-based 2FA with Passkeys, Hardware Security Keys or authenticator apps for improved security.
    2. If SMS is your only option, consider a dedicated phone number solely for authentication. Use a pre-paid burner phone or a service like Google Voice to limit exposure.
  2. 2

    Set a strong PIN or passcode on your telecom account to secure changes and protect your number.

  3. 3

    Request a port freeze and enable a SIM lock to prevent unauthorized number transfers.

  4. 4

    Regularly audit your online accounts to ensure they are not linked to your phone number unnecessarily.

By taking these proactive measures, you can significantly reduce the risks associated with mobile phone vulnerabilities, securing your digital assets and safeguarding your online presence.

A compromised internet connection can steal your sign-in details and direct you to phishing sites. Here are some ways you can secure your internet connection:

  1. 1

    Change the default password on your home internet router.

    1. Keeping the default password will allow any stranger from the internet to gain control over your router.
    2. To prevent brute force attacks, use the same guidelines as for your Kraken password, ensuring it is unique.
  2. 2

    Make sure your WiFi network is password protected. This is separate from the router password.

  3. 3

    Create a guest network if your router has that option and keep the main network private for your devices only.

  4. 4

    Avoid public WiFi. Use your mobile data plan instead. If you have to use public WiFi, make sure to have a reputable VPN (avoid free VPNs).

Need more help?