Two-factor authentication (2FA) is an extra layer of security for your Kraken account. While using sign-in 2FA, gaining access to your account will require your username, password and an additional passcode that can only be created from a physical device that you own.
To learn more about the sign-in 2FA method, check out this article: How does 2FA for sign in work?
Why use 2FA?
2FA ensures that:
✓ Unauthorized access is stopped if your username and password are stolen.
✓ Your account can only be accessed by the holder of the device that has the 2FA code.
✓ Every time you sign in, your device creates a unique passcode that is required for accessing your account.
How 2FA works
2FA requires an extra passcode when signing in, trading, withdrawing or depositing. This passcode can be stored in an authenticator app on your phone where the passcode changes every 30 seconds. Or in a Hardware Security Key where the passcode changes after each use and can even recognize the website that you are trying to sign into. Enabling sign-in 2FA also activates Step-up 2FA. This is an extra step that is required anytime that 2FA settings on your account are added, edited or removed. Once a change to your Kraken account is requested, a popup window will appear to confirm your sign-in 2FA again via the 6-digit code from your authenticator app or via your Hardware Security Key.
Without the Step-up 2FA code no changes can be made, even if somebody managed to sign into your account without your permission.
Adding 2FA and signing into your account with 2FA
The difference between sign-in 2FA, trading 2FA, funding 2FA and the Master Key
Functions are all the different actions you can enable 2FA for.
To learn more about the 2FA functions and how to set them up, check out these articles:
Without the Global Settings Lock (GSL) and the sign-in 2FA enabled, the other 2FA functions can be removed in the event of unauthorized access to your account.
Tip: Enable the GSL after you have enabled 2FA functions.
Authenticator app versus Security Key
Each function can have 2FA enabled using different methods.
For example, you may choose to use the Hardware Security Key method for the sign-in function because Hardware Security Keys are the most convenient and secure to use in daily life.
Then for your Master Key function, you may choose to use the authenticator app method because it is less convenient to use and not needed as frequently. The Master Key is only needed in the rare case when you've lost your sign-in 2FA, have to change your password or need to remove the GSL immediately.
Having sign-in 2FA and the Master Key on the same device cancels out the security that these functions guarantee when kept separate. The 2FA method used for the Master Key should be different from the one used for your sign-in 2FA, otherwise it defeats the purpose of the Master Key.
If you use separate devices you could use an authenticator app for both functions as each app will generate a different code.
To learn more about the 2FA methods and how to set them up, check out these articles: