A Security Key is a small physical device used for additional security next to your password and is considered to be on of the most secure ways of two-factor authentication (2FA). Most Security Keys are very simple to use and you only need to touch or tap a button while it is plugged into the USB port of your device.
Kraken supports security keys that use OATH OTP or FIDO2 protocols.
We recommend FIDO2, however OATH OTP is also secure.
At this moment only sign-in 2FA can be secured with both FIDO2 and OATH OTP protocols. Funding 2FA and the Master Key can however be secured with a YubiKey. And to enable trading 2FA you will need to use an authenticator app or a static password. We expect to support FIDO2 for all 2FA functions in the near future.
Using a Security Key is still much more secure for several reasons, among which is that a Security Key will generate a passcode of 32 characters versus the 6-8 characters of an authenticator app or SMS based authentication.
Your Security Key will check this challenge to verify that it was sent from our legitimate website. After this check is done, the Security Key will then use its private key to send the response to Kraken allowing you to successfully sign into your account.
All you need to do with a Security Key is plug it into, or hold it against your device and touch or tap a button. No need to copy a passcode from an authenticator app or worry about your device's battery running out.
OTP’s generated by a Security Key are significantly longer than those from an authenticator app (32 characters versus 8 or less characters). FIDO2 adds additional security on top of this, because the protocol will only respond to a challenge from the website that you registered it on, and will therefore prevent phishing.
- Harder to lose
We see a lot of tickets at Kraken Support because someone lost their phone. In our experience, it is less likely to lose a device specifically used for 2FA than a phone that is carried around all the time.
Even if you lose your Security Key, it has no identifiable information about what it is used for or who it belongs to. In contrast, an authenticator app mentions the website name and some identifiable account information because the passcode needs to be manually read by a human.
Some of the most popular FIDO2 security key providers are:
It is up to you which provider you choose, we recommend starting with searching “fido2 security key comparison” in your preferred search engine or picking one of the popular Security Key providers we mentioned earlier.