At Kraken, we prioritize and invest heavily in security. However, don't let this put your own guard down. No amount of security on our end can make up for inadequate personal security.
It is vital for clients to take advantage of the account security tools and advice that we offer and to never share access to the account with anyone else.
Securing your Kraken Sign-In
1. Never allow anyone to create or manage an account on your behalf.
2. Choose a Username that is hard to guess and not used on any other website. Never share your username with anyone.
3. Create a Password that is long (at least 15 characters) and that is not used on any other website.
Warning about Sign-In 2FA backups: A poorly stored 2FA backup can be counter-productive and result in your 2FA being compromised. If you are worried about losing your Sign-In 2FA, set up a Master Key instead (see below).
Warning about authenticator apps that use cloud storage: If their cloud storage is hacked, it can compromise your Sign-In 2FA.
5. Set up a Master Key to have additional protection from password resets (in case your email is compromised) and as a backup for your Sign-In 2FA.
IMPORTANT: Make sure the Master Key is set up using a different method from your Sign-In 2FA. For example, if you use a Yubikey for Sign-In 2FA, then use authenticator app or a different Yubikey for the Master Key.
6. Beware of phishing scams. Even Sign-In 2FA can't protect your account if you enter it on a phishing website or share it with a scammer.
7. Only use Kraken's official mobile apps. Third-party mobile apps using Kraken's name or asking for your Kraken credentials are form of phishing.
8. Use API keys with caution. Sharing your API private key or QR code is the same as sharing your account password!
Securing your Email
If the email account registered to your Kraken account is compromised, it can be used to request your username, reset your password, and approve withdrawals.
1. Create a Password using the same tips as for your Kraken password, but make the email password different.
2. Set up Sign-In 2FA just as you would for your Kraken account, and don't use the SMS option if your email provider offers it.
4. Check your settings and activity. See our securing your email account guide for more details.
5. Set up PGP (for Advanced users). If your email application supports PGP, enter your PGP public key in your Kraken account settings to receive signed and encrypted email from us.
PGP encryption makes it so that even if your email address is compromised, the hacker won't be able to read your automated emails from Kraken unless they also have your private key.
Securing your Internet
A compromised internet connection can steal your sign-in details and direct you to phishing sites. Here are some ways you can secure your internet connection:
1. Router password. Change the default password on your home internet router. Keeping the default password will allow any stranger from the internet to gain control over your router. To prevent brute force attacks, use a long phrase (rather than a single word) along with numbers and symbols.
2. WiFi password. Make sure your WiFi network is password protected. This is separate from the router password.
3. Guest network. Create a guest network if your router has that option and keep the main network private for your devices only.
4. Avoid public WiFi. Use your mobile data plan instead. If you have to use public WiFi, make sure to have a reputable VPN (avoid free VPNs).
Securing your Devices
A compromised device can log everything you type into it, and mobile devices are the most common way to use Two Factor Authentication (2FA).
1. Device password. Create a secure passphrase and use fingerprint sign-in if possible. Avoid easy to guess pins and sign-in patterns.
2. Don't share your device. Don't get guilted by friends and family to share access and passwords to your devices, especially if you use those devices for your 2FA.
3. Never give remote access. Some customer service teams will request remote access to your computer to help troubleshoot technical issues, but this is very dangerous and it is also the favorite technique of scammers. So always say 'No' to applications such as RemotePC, TeamViewer, and GoToMyPC. Kraken Support will never ask you to install remote access software!
4. Avoid public devices. Only sign in from your personal devices.
5. Avoid work devices for personal accounts. They are able to monitor and record your activity.
Securing your Kraken settings
Once you've finished verifying and setting up your Kraken account, you can add even more protections in case your sign-in is compromised in any way.
2. Enable the Global Settings Lock (GSL) to prevent changes to your account settings and withdrawal addresses — even if an attacker gains access to your account.
Important: If you want the option to immediately turn off the GSL at any time, you'll need to setup the Master Key before enabling the GSL. Kraken Support cannot speed up GSL removal.