Cross-Device Passkeys can be used to sign in on any device. They may also be called Roaming 2FA. Examples are:

• Cloud-synced passkey: Passkeys stored with a cloud account e.g., iCloud Keychain, Password Manager, Google account.

• Mobile device-based passkey: Passkeys created and stored on your mobile device. It may utilize your device’s biometrics.

• Hardware Security Key: Passkeys created using a Yubikey, or similar physical FIDO2 device.

Device-Bound Passkeys can only be used to sign in on a single device i.e. the one it was created on. They may also be called Non-Roaming 2FA. Examples are:

• Browser-specific passkey: Created and stored within a browser profile (e.g., Chrome, Firefox, Edge).

Possible causes:

• A Cross-Device Passkey was created on your phone and not synced to other devices.

• PC is asking for a USB security key.

• Windows Security banner only shows USB option.

• QR code scan is not working, especially if multiple Android passkeys exist.

Possible solutions:

• Ensure Bluetooth is enabled on both your phone and computer.

• Keep both devices close together during authentication.

• A Device-Bound Passkey created on a mobile device can be shared with another device. Scan the QR code with your mobile device and confirm using biometrics.

• Make sure you’re using the correct Passkey method.

  • When prompted to enter the Passkey (including a USB method, if you don’t have one) on your computer, look for "Change Method" or “More Options” and select it (wording may vary depending on your device).

• If you use a Windows PC and have Windows Hello (PIN, fingerprint, facial recognition) set up, sometimes websites automatically try to use that as a Passkey.

  • Go to Windows Settings > Accounts > Sign-in options.

  • Look for options related to "Windows Hello PIN" or "Security Key".

• If multiple Passkeys are enabled in your device's password manager, ensure you are selecting the appropriate, active key for the correct Kraken account.

If the steps above don’t work:

1. Sign into your Kraken account on your phone.

2. Navigate to your Security settings.

3. Enable an additional Cross-Device Passkey. Your options include: Cloud-synced passkey e.g., iCloud Keychain, Password Manager. Device-based passkey created and stored on your mobile device. Hardware Security Key.

4. Use this new Passkey to sign into your account on your computer.

Setting up Passkeys can be such a quick process that if you are new to the process, it can be confusing as to what type of Passkey was added and where it was stored.

If you are currently signed into your account, navigate to your Security settings to view which Passkeys are enabled. You will be able to see the type of Passkey (Cross-Device, Device-Bound, Hardware Security Key etc.) and a description of where it was created/stored e.g. Chrome on Mac, Password Manager etc.

If anything is unclear, add a new Cross-Device Passkey, rename the description to something familiar and remove any Passkeys you do not recognise. Once Sign-in 2FA is enabled, our systems will enforce always having at least one Cross-Device Passkey enabled.

If you have multiple Kraken accounts, ensure you are signed into the same account across devices and are using the correct Passkey for the correct account.

If you are unable to sign into your account the following questions regarding Passkey set up may help you locate it:

• Did you scan a QR code using your mobile device?

  • If so, the Passkey may either be stored in your device’s keychain/keystore or in your password manager, if you have one. Check these.

• Did you insert and tap your Hardware Security Key?

  • The Passkey was likely created using your Hardware Security Key. When prompted for a Passkey, choose the option associated with Security Key. Depending on your device/browser, you may need to click a button similar to “More Options” or "Change Method" to see the Security Key option.

If you are still unable to locate your Passkey and sign into your account:

1. Navigate to kraken.com/sign-in

2. Enter your email/username and password

3. When prompted for a Passkey, click “Recover account”

4. Follow the on-screen instructions

Whether a Passkey is labeled as ‘Device-Bound’ or ‘Cross-Device’ is determined by the information the authentication method provides to Kraken during registration.

We’ve had sporadic reports from some clients registering a Cross-Device Passkey; it will register as a Device-Bound Passkey in a Kraken account. This is not an issue with Kraken but an issue with the authentication method itself and the information it is passing to Kraken.

We have confirmed reports this can occur with:

• Bitwarden

• Mobile device-based passkeys on Android

Other authentication methods may be affected.

What you can do:

• Contact your authentication method’s support and raise the issue with them.

• Create an alternative Cross-Device Passkey using either a mobile device (phone/tablet) or a Hardware Security Key. See What is a Passkey?

Once Sign-in 2FA is enabled, our systems will enforce always having at least one Cross-Device Passkey, or an Authenticator App, enabled. This is designed to ensure you always have a way to sign into your Kraken account on any device.

If you are trying to remove or replace a Cross-Device Passkey or an Authenticator App from your account, this will be impossible if it's the only Passkey or Sign-in 2FA method enabled or your only other Passkey is a Device-Bound Passkey.

If you have already enabled Sign-in 2FA either with an Authenticator App or a Cross-Device Passkey using a password manager or your device’s keychain, we recommend signing into your Kraken account on a computer via a web browser and adding additional Passkeys.

Another option is to get a FIDO2 compatible Hardware Security Key that can be used with both computer and your mobile device and use that as an additional, backup Passkey method.

It’s possible your Hardware Security Key isn’t supported.

We support every device listed as FIDO2 or FIDO2/WebAuthn. U2F keys may not be supported. Check with your Hardware Security Key provider to ensure your device is FIDO2/WebAuthn compliant.

• Ensure your Security Key is NFC compatible. Check with the Hardware Security Key provider.

• Verify that your phone supports NFC and has it enabled.

  • iPhone: iPhone 7 and newer, running a supported version of iOS.

  • Android: NFC can be toggled under Settings, although the exact location of the setting varies. If possible, try searching for NFC within your Settings app.

• If your phone is in a case, try removing it to ensure it isn’t interfering.

  • Ensure you are holding your key near the NFC reader on your phone.

  • If you don’t know where this is, contact the Hardware Security Key provider or your mobile device’s manufacturer.

Some password managers may intercept passkey-related requests when you try to create or use a passkey. By default, they often prompt you to use a passkey saved in their vault - even if no passkey is stored there. This prevents you from accessing passkeys stored in your browser, operating system, or on a hardware key.

Password managers can register themselves as the first handler for passkey requests. When this occurs:

• The password manager responds first, even if it doesn’t have a matching passkey.

• This blocks other passkey sources (such as the browser, OS, or hardware key) from responding.This applies to both registering a new passkey and authenticating with an existing passkey.

The issue can also affect Hardware Security Keys. A password manager may intercept the request before your Hardware Security Key can be used, preventing it from completing authentication.

Solutions:

• Most Password Managers offer options to prevent this conflict. Common solutions include:

• Disabling Passkey handling for a specific domain (e.g., kraken.com).

• Skipping or passing through the current request so your browser’s built-in Passkey manager (or Hardware Security Key) can respond.

If you have enabled a Device-Bound Passkey using a web browser, it can only be used on that specific browser.

For example, if you enabled the Passkey on your laptop using Chrome, you will not be able to use it with Safari, even if you’re on the same laptop. Similarly, if you enabled the Passkey on your desktop using Firefox, you will not be able to use it with Firefox’s incognito mode.

A web browser Device-Bound Passkey is designed to only be used on the exact browser it was created with.

However, if you set up a Device-Bound Passkey on your phone, you can use it on another device by scanning the QR code with your phone and confirming with your biometrics.

If you first installed your Hardware Security Key on a Windows device it would have requested you to set up a PIN. If you did enable a PIN and have incorrectly entered it three times in a row, reboot the Security Key by removing and reinserting it before trying again

For an overview on how to set up or use a PIN visit the website of your Hardware Security Key manufacturer i.e. if you use a YubiKey, visit Yubico's website.

• Windows 10 or later

• macOS Ventura or later

• ChromeOS 109 or later

• iOS 16 or later

• iPadOS 16 or later

• Android 9 or later

• Must support the FIDO2 protocol