What is a Security Key and why should I use one?
A Security Key is a small physical device used for additional security next to your password and is considered to be one of the most secure ways of two-factor authentication (2FA). Most Security Keys are very simple to use and you only need to touch or tap a button while it is plugged into the USB port of your device.
Kraken supports Security Keys that use Yubico OTP or FIDO2 protocols.
We recommend FIDO2, however Yubico OTP is also secure.
Only sign-in 2FA can be secured with a FIDO2 Security Key at this moment. However, funding 2FA and the Master Key can be secured with a YubiKey. For trading 2FA you will need to use either an authenticator app or a static password. We expect to support FIDO2 for most 2FA functions in the near future.
What is Yubico OTP?
Yubico OTP is a protocol that is supported by all Security Keys from Yubico (i.e. YubiKeys) and generates a unique 44-character passcode when touched while plugged into a device. This passcode can only be used once and is significantly more secure than an authenticator app, due to an app only generating a 6-8 character passcode.
What is FIDO2?
FIDO2 is a protocol that prevents phishing by verifying the legitimacy of the website you use the Security Key for.A private key is stored on the Security Key together with a corresponding public key that is bound to the Kraken website. Kraken will send a challenge for your unique Security Key every time someone attempts to sign in with your username and password.The Security Key will use its private key to respond to Kraken if it can verify that the challenge came from the correct website and will only then allow you to sign into your account.Since a FIDO2 Security Key can only authenticate services that you have previously registered, it will prevent you from entering the correct passcode on a website that is imitating Kraken.
Why should I use a Security Key instead of an authenticator app?
- SimplicityAll you need to do with a Security Key is plug it into, or hold it against your device and touch or tap a button. No need to copy a passcode from an authenticator app or worry about your device's battery running out.
- SecurityOTP’s generated by a Security Key are significantly longer than those from an authenticator app (44 characters versus 8 or less characters). FIDO2 adds additional security on top of this, because the protocol will only respond to a challenge from the website that you registered it on, and will therefore prevent phishing.
- Harder to loseWe see a lot of tickets at Kraken Support because someone lost their phone. In our experience, it is less likely to lose a device specifically used for 2FA than a phone that is carried around all the time.
- PrivacyEven if you lose your Security Key, it has no identifiable information about what it is used for or who it belongs to. In contrast, an authenticator app mentions the website name and some identifiable account information because the passcode needs to be manually read by a human.
Where can I get a Security Key?
Some of the most popular FIDO2 security key providers are: