Enabling Two-Factor Authentication (2FA) for sign-in improves account security by adding a second authentication method in addition to your sign-in password for signing in to your Kraken account. This helps protect against attackers, as any attacker would not only need the username and password, but also be in possession of your 2FA code to sign in to your account.
For example, if your email account is compromised, an attacker could request your Kraken username and reset your account password through your email. Having 2FA for sign-in enabled on your Kraken account would prevent that attacker from successfully signing in even after gaining possession of both your username and password.
Tip: You can prevent password resets on your Kraken account by setting up a Master Key.
However, even Sign-In 2FA can't protect your account if you enter it on a phishing website or share it with a scammer, so beware of phishing scams.
Sign-In 2FA is mandatory
At Kraken, we consider Sign-In 2FA a basic security feature that all account holders should utilize for both their Kraken account and email account!
How do I set up Sign-In 2FA?
1. Sign in to your Kraken account.
2. Click on your name in the upper-right corner of the page.
3. Click on Security.
4. Select "Change method" for Sign-In under “Two-factor authentication” and choose the 2FA method you want to use.
The methods available are:
- YubiKey device (most secure)
- Authenticator app (moderately secure)
- Static password (no longer available for Sign-In 2FA)
Security Tip: The Sign-In 2FA device for your Kraken account should be kept separate from your username and password, as storing this information together would provide an attacker all the information needed to access your account.
If the device that your 2FA is on has been lost or stolen, your account is at risk of being compromised, especially if your email account can be accessed from that device. You should immediately sign in to your Kraken account and change your password and 2FAs. Likewise, sign in to your email account and change the password and 2FAs there. If you are unable to sign in, contact our client engagement team to have your account temporarily disabled.