How do I set up two-factor authentication?

Two-factor authentication greatly increases the security of your account by requiring a second dynamic passcode in addition to the standard username and password. Google Authenticator or Yubikey should be used to generate dynamic passcodes for maximum security.

Before you set up two-factor authentication, you'll need to decide on a method for generating dynamic passcodes. (We offer a static passcode option, but this isn't recommended.) The most common methods are via the Google Authenticator application (for Android, iOS, BlackBerry, etc.) or with a dedicated Yubikey device. Google Authenticator gives you the choice between HOTP and TOTP while Yubikey is only HOTP (see below for an explanation of HOTP and TOTP). But the more significant difference between the two is that Google Authenticator is a software token while Yubikey is a hardware token, meaning that Yubikey is a bit more secure since it isn't vulnerable to software-based attacks.

To set up two-factor authentication in your Kraken account, go to Security > Two-Factor Authentication. Click "setup" and choose the two-factor option you want. Two-factor devices generate dynamic passcodes on the basis of a static key and a "moving factor." HOTP stands for "HMAC-based One Time Password" and the moving factor is a simple counter that increments each time an OTP is generated. TOTP stands for "Time-based One Time Password" and the moving factor in this case is the passage of time (a new OTP is generated by the device every 30 seconds). The TOTP password is short-lived while the HOTP password may be valid for an unknown amount of time (until your next login). TOTP requires less maintenance but the time between the device and our servers needs to be synchronized while HOTP requires more maintenance but no synchronization. As a result, the TOTP is generally considered the more secure One-Time Password solution. For most users, however, the difference is marginal compared to the benefits gained from using two-factor authentication in the first place. For more information:

Selecting the "Password" option gives you a static passcode, which is much less secure than a dynamic one. Not recommended unless you have a special reason for preferring it.

If you are using TOTP with the Google Authenticator app please choose SHA1 as the OTP Algorithm.

Complete the setup process by following the given instructions. Be careful about changing some of the default options, as setup failures may result (see warnings provided in the instructions).

You should also set up two-factor authentication for the Master Key. This increases security for such a critical function as resetting passwords and requesting two-factor authentication bypass codes. 

To set up a Master key correctly, you'll need a second two-factor device. If you only have one two-factor device and create the Master Key, it's actually better to choose the password option for the Master Key rather than putting it on the same two-factor device. The reason for this is that the Master Key will be needed for account recovery if you lose your two-factor device, so it doesn't make sense to put it on the same device you use for account login. But if you use the "Password" option for the Master Key, make sure you store the password in a very safe place.