At Kraken, we prioritize and invest heavily in security. However, don't let this put your own guard down. No amount of security on our end can make up for inadequate personal security.
It is vital for clients to take advantage of the account security tools and advice that we offer and to never share access to the account with anyone else.
- Never allow anyone to create or manage an account on your behalf.
- Choose a username that is hard to guess and not used on any other website. Never share your username with anyone.
- Create a password that is long (at least 15 characters) and that is not used on any other website.
Set up Sign-In 2FA, ideally using a YubiKey. This is the most important security feature. Additionally, enabling a Sign-in 2FA activates Step-up 2FA, which is an extra step that is required anytime you want to add, edit or remove any 2FA settings on your account. Once a change to your Kraken account is requested, you will be prompted to confirm your Sign-in 2FA again via the 6-digit code from your authenticator app or via your YubiKey. The code must be entered correctly before any changes can be made to the 2FA settings on your account.
Warning about Sign-In 2FA backups: A poorly stored 2FA backup can be counter-productive and result in your 2FA being compromised. If you are worried about losing your Sign-In 2FA, set up a Master Key instead (see below).
Warning about authenticator apps that use cloud storage: If their cloud storage is hacked, it can compromise your Sign-In 2FA.
Set up a Master Key to have additional protection from password resets (in case your email is compromised) and as a backup for your Sign-In 2FA.
IMPORTANT: Make sure the Master Key is set up using a different method from your Sign-In 2FA. For example, if you use a YubiKey for Sign-In 2FA, then use authenticator app or a different YubiKey for the Master Key.
- Beware of phishing scams. Even Sign-In 2FA can't protect your account if you enter it on a phishing website or share it with a scammer.
- Only use Kraken's official mobile apps. Third-party mobile apps using Kraken's name or asking for your Kraken credentials are forms of phishing.
- Use API keys with caution. Sharing your API private key or QR code is the same as sharing your account password!
If the email account registered to your Kraken account is compromised, it can be used to request your username, reset your password and approve withdrawals.
Note: We strongly recommend setting up an email account that you only use for Kraken.
- Create a password using the same tips as for your Kraken password, but make the email password different.
- Set up Sign-In 2FA just as you would for your Kraken account, and don't use the SMS option if your email provider offers it.
- Remove your phone numbers from your email account.
- Check your settings and activity. See our securing your email account guide for more details.
Set up PGP (for Advanced clients). If your email application supports PGP, enter your PGP public key in your Kraken account settings to receive signed and encrypted email from us.
PGP encryption makes it so that even if your email address is compromised, the hacker won't be able to read your automated emails from Kraken unless they also have your private key.
- A compromised internet connection can steal your sign-in details and direct you to phishing sites. Here are some ways you can secure your internet connection:
- Router password. Change the default password on your home internet router. Keeping the default password will allow any stranger from the internet to gain control over your router. To prevent brute force attacks, use a long phrase (rather than a single word) along with numbers and symbols.
WiFi password. Make sure your WiFi network is password protected. This is separate from the router password.
- Guest network. Create a guest network if your router has that option and keep the main network private for your devices only.
- Avoid public WiFi. Use your mobile data plan instead. If you have to use public WiFi, make sure to have a reputable VPN (avoid free VPNs).
- A compromised device can log everything you type into it and mobile devices are the most common way to use two-factor Authentication (2FA).
- Device password. Create a secure passphrase and use fingerprint sign-in if possible. Avoid easy to guess pins and sign-in patterns.
- Don't share your device. Don't get guilted by friends and family to share access and passwords to your devices, especially if you use those devices for your 2FA.
- Never give remote access. Some customer service teams will request remote access to your computer to help troubleshoot technical issues, but this is very dangerous and it is also the favorite technique of scammers. So always say 'No' to applications such as RemotePC, TeamViewer and GoToMyPC. Kraken Support will never ask you to install remote access software!
- Avoid public devices. Only sign in from your personal devices.
- Avoid work devices for personal accounts. They are able to monitor and record your activity.
- Once you've finished verifying and setting up your Kraken account, you can add even more protections in case your sign-in is compromised in any way.
- Set up two-factor Authentication (2FA) for withdrawals, trading and API. However, the Global Settings Lock or Step-up 2FA must be enabled in order for these 2FAs to be effective.
- Enable the Global Settings Lock (GSL) to prevent changes to your account settings and withdrawal addresses — even if an attacker gains access to your account.
Important: If you want the option to immediately turn off the GSL at any time, you'll need to setup the Master Key before enabling the GSL. Kraken Support cannot speed up GSL removal.