A Hardware Security Key is a small physical device used for additional security next to your password and is considered to be one of the most secure ways of two-factor authentication (2FA). Most Hardware Security Keys are very simple and you only need to touch or tap a button while it is plugged into the USB port of your device.
At this moment only sign-in 2FA can be secured with both FIDO2 and Yubico OTP protocols. Sign-in 2FA and the Master Key support Hardware Security Keys that use the FIDO2 protocol. Funding 2FA only supports the Yubico OTP protocol.
Functions | Available Hardware Security Key protocols |
|---|---|
Sign-in 2FA | FIDO2 |
Trading 2FA | None |
Funding 2FA | Yubico OTP |
Master Key | FIDO2 |
Each function needs to be set up separately. To learn more about the 2FA functions above, you can review this support article.
Simplicity:
All you need to do with a Hardware Security Key is plug it into, or hold it against your device and touch or tap a button. No need to copy a passcode from an authenticator app or worry about your device's battery running out.
Security:OTP’s generated by a Hardware Security Key are significantly longer than those from an authenticator app (44 characters versus 8 or less characters). FIDO2 adds additional security on top of this, because the protocol will only respond to a challenge from the website that you registered it on, and will therefore prevent phishing.
Harder to lose:
We see a lot of tickets at Kraken Support because someone lost their phone. In our experience, it is less likely to lose a device specifically used for 2FA than a phone that is carried around all the time.
Privacy:
Even if you lose your Hardware Security Key, it has no identifiable information about what it is used for or who it belongs to. In contrast, an authenticator app mentions the website name and some identifiable account information because the passcode needs to be manually read by a human.
Some of the most popular FIDO2 Hardware Security Key providers are:
Each has their own advantages and disadvantages. Some are multifunctional, and also serve as a cryptocurrency wallet, while others are specialized in providing security above everything else. It is up to you which provider you choose, we recommend starting with searching “fido2 Hardware Security Key comparison” in your preferred search engine or picking one of the popular Hardware Security Key providers we mentioned earlier.
Please review our How to enable Multiple 2FAarticle, which explains how to set up a Security Key for two-factor authentication (2FA).
Updating your Sign-in 2FA from a Hardware Security Key that uses YubiKey OTP to a Hardware Security Key that uses FIDO2 takes less than a minute!
Select Change method in the Sign-in section and then use your current YubiKey to authorize this change.
Insert your
FIDO2 Hardware Security Key
into your device.
Select allow on the following screen.
Congratulations, your FIDO2 Hardware Security Key is now enabled as Sign-in 2FA for your Kraken account! You have the highest level of security available to protect unauthorized access to your account.
If you no longer have access to your Hardware Security Key, please fill out this form.
Yubico OTP is a protocol that generates a unique 44-character passcode when touched while plugged into a device. This passcode can only be used once and is significantly more secure than an authenticator app, due to an app only generating a 6-8 character passcode.
FIDO2 is a protocol that prevents phishing by verifying the legitimacy of the website you use the Hardware Security Key for. A private key is stored on the Hardware Security Key together with a corresponding public key that is bound to the Kraken website. Kraken will send a challenge for your unique Hardware Security Key every time someone attempts to sign in with your username and password. The Hardware Security Key will use its private key to respond to Kraken if it can verify that the challenge came from the correct website and will only then allow you to sign into your account. Since a FIDO2 Hardware Security Key can only authenticate services that you have previously registered, it will prevent you from entering the correct passcode on a website that is imitating Kraken.
Depending on the device you use, you may be prompted to set or use a PIN when using a FIDO2 key. For an overview on how to set or use a PIN you can visit the website of your Hardware Security Key manufacturer. For example, if your Hardware Security Key is a YubiKey, you can find more information on how to manage your Hardware Security Key's PIN on Yubico's website.