Keeping the email account registered to your Kraken account safe is the single most important thing to secure your Kraken account. This is because someone with access to your email account can potentially gain access to your Kraken account.
With access to your email account an attacker can:
- request your username
- reset your password (can be prevented if you enabled a Master Key)
- request to bypass your Two-factor Authentication (2FA) method (requires your Master Key)
- change the email address registered on your Kraken account
Note: We strongly recommend setting up an email account that you only use for Kraken.
What can I do to keep my email safe?
1. Use a strong and unique password
Your password should be randomly generated, longer than 12 characters and preferably generated and stored by a password manager. It must not not be shared between multiple services. No matter how complex your password is, if you use the same password on different platforms, you risk having your password compromised on a poorly protected site and reused on all your accounts.
A password manager is a tool that creates and stores passwords for you, so you can use different passwords on different sites and services without having to memorise them. They generate strong and complex passwords that humans are unlikely to guess.
For more about password managers, see the Electronic Frontier Foundation’s (EFF) resources on password security.
2. Add Two-factor Authentication
The most effective method is to enable 2FA on your email account. When 2FA is enabled, any sign-in attempt on your account requires an extra passcode to be entered in addition to the username and password. This extra passcode is usually stored in an app on your phone and is re-generated every 30 seconds. It is also possible to use a security key such as a YubiKey.
We strongly recommend that you use a non-SMS 2FA method on your email account. Read more about why in our security advisory on mobile phones.
For a list (not maintained by us and may be incomplete) of email providers that support 2FA, click here. If you are not sure if your email provider supports 2FA, check their help documentation and/or contact their support staff.
3. Turn off email recovery options
Many email providers offer options to recover access to your email account in case you get locked out or forget your password. Often they allow you to set up a secondary email account for recovery or use the phone number registered to receive a SMS or phone call. Both of these options can be abused and we strongly recommend not setting either of them up. You would be surprised how easy it is to clone a SIM card or for an imposter to call your phone service provider and convince an agent they are speaking with you. If you have your phone number registered on the email account, remove it or turn it off as a recovery option.
See our Security advisory for mobile phones for more details.
4. Check account settings and activity
Check your email settings to make sure that nobody has set up email forwarding to another email address that you are not aware of.
Check your recent email account activity and details of all sign ins. In your account activity overview you may be able to see if anyone else is signed into your account.
5. Set up PGP email encryption (for advanced clients)
Setting up PGP email encryption on your email account and on your Kraken account will ensure that only you can read emails that are sent from our systems to reset your password, request your username or take other account actions.
See the following support articles for more information on PGP and how to set it up: