If you just want to learn how to set up Two-factor Authentication (2FA) using a Yubikey, click here.
A Yubikey is a USB device that you insert into your computer and it generates a unique passcode every time you touch or tap a button.
The passcode can be used for login, trading, and depositing or withdrawing funds from your account, or as a Master Key. Note: 2FA for each of these account actions needs to be setup separately.
How does a Yubikey work?
The passcodes are generated from a secret code that is shared between the service you are using (e.g. Kraken) and your Yubikey, as well as the increment counter (i.e. how many times you've generated a passcode with your Yubikey).
Where can I get a Yubikey?
You can purchase a Yubikey on Yubico's website, the producer of Yubikeys.
Make sure the Yubikey you buy meets our compatibility requirements.
Why should I use a Yubikey instead of other 2FA options?
There are a few reasons why a Yubikey may be preferable over other 2FA options:
Simplicity: All you need to do with a Yubikey is plug it into your computer and touch or tap a button. No need to copy a passcode from an authenticator app, or worry about your device's battery running out.
Harder to lose: We see a lot of lost phone tickets at Kraken Support. In our experience, a client is less likely to lose a device specifically used for 2FA than a device like your phone that you carry around all the time.
Privacy: Even if you lose your Yubikey, it has no identifiable information about what it is used for or who it belongs to. In contrast, an authenticator app by necessity mentions the website name and some identifiable account information because the passcode needs to be manually read by a human (this can be changed/removed, but most people keep the defaults).
Security: OTPs generated by a Yubikey are significantly longer than those from an authenticator app (32 characters vs 6 or 8 characters), which means a higher level of security.
Future improvements: With the U2F protocol (coming soon to Kraken), Yubikey binds user login to the original website’s URL. Only the real site can authenticate with the key. This means that while you may be tricked into thinking a website is real, the Yubikey won’t reveal your credentials.