Keeping the email account registered with your Kraken account safe is the single most important thing to secure your Kraken account. This is because someone with access to your email account can potentially gain access to your Kraken account.
With access to your email account an attacker can:
- request your username
- reset your password (can be prevented if Master Key is enabled)
- reset your Two-factor Authentication (2FA) method (requires your Master Key)
- change the email address registered on your Kraken account
What can I do to keep my email safe?
1. Add Two-factor Authentication
The most effective method is to turn on 2FA on your email account. When 2FA is enabled, any login attempt on your account requires an extra passcode to be entered in addition to the username and password. This extra passcode is usually stored in an app on your phone and is re-generated every 30 seconds. It is also possible to use a security key such as a Yubikey.
We strongly recommend that you use a non-SMS 2FA method on your email account. Read more about why in our security advisory on mobile phones.
For a list (not maintained by us and may be incomplete) of email providers that support 2FA, click here. If you are not sure if your email provider supports 2FA, check their help documentation and/or contact their support staff.
2. Use a strong and unique password
Your password should be randomly generated, longer than 16 characters and preferably generated and stored by a password manager. It should not be shared between multiple services (e.g. your Kraken account and your email account).
A password manager is a tool that creates and stores passwords for you, so you can use different passwords on different sites and services without having to memorise them. They generate strong and complex passwords that humans are unlikely to guess.
For more about password managers, see the Electronic Frontier Foundation’s (EFF) resources on password security.
3. Check account settings and activity
Check your email settings to make sure that nobody has set up email forwarding to another email address that you are not aware of.
Check your recent email account activity and details of all logins. In your account activity overview you may be able to see if anyone else is logged into your account.
4. Set up PGP email encryption
Setting up PGP email encryption on your email account and on your Kraken account will ensure that only you can read emails that are sent from our systems to reset your password, request your username or take other account actions.
See the following support articles for more information on PGP and how to set it up:
5. Check and turn off email recovery options
Many email providers offer options to recover access to your email account in case you get locked out or forget your password. Often they allow you to setup a secondary email account for recovery or use the phone number registered to receive a SMS or phone call. Both of these options can be abused and we strongly recommend not setting either of them up. If you have your phone number registered on the email account, remove it or turn it off as a recovery option.