Enabling Two-Factor Authentication (2FA) for Login improves account security by adding a second authentication method in addition to your login password for signing in to your Kraken account. This helps protect against attackers, as any attacker would not only need the username and password, but also be in possession of your 2FA code to login to your account.
For example, if your email account is compromised, an attacker could request your Kraken username and reset your account password through your email. Having 2FA for Login enabled on your Kraken account would prevent that attacker from successfully logging even after gaining possession of both your username and password.
Tip: you can prevent password resets on your Kraken account by setting up a Master Key.
Below is screenshot example of how Login 2FA can prevent an attacker from gaining access to your account:
Attempted attack: known username and password but unknown 2FA.
Result: Invalid login due to missing or incorrect 2FA, access denied.
However, even Login 2FA can't protect your account if you enter it on a phishing website or share it with a scammer, so beware of phishing scams.
Should I set up Login 2FA?
Yes! At Kraken, we consider 2FA for logins a basic security feature that all account holders should utilize for both their Kraken account and email account!
How do I set up Login 2FA?
You can set up a Login 2FA by logging in to your Kraken account and clicking on the “Security” tab. Next, click the "On/Off" dial under “Security and Login” and choose the 2FA method you want to use.
The methods are:
- Yubikey device (most secure)
- Authenticator app (moderately secure)
- Static password (least secure; not recommended)
Security Tip: The Login 2FA device or static password for your Kraken account should be kept separate from your username and password, as storing this information together would provide an attacker all the information needed to access your account.
If the device that your 2FA is on has been lost or stolen, your account is at risk of being compromised, especially if your email account can be accessed from that device. You should immediately login to your Kraken account and change your password and 2FAs. Likewise, login to your email account and change the password and 2FAs there. If you are unable to login, contact client support to have your account temporarily disabled.