2-FA is now obligatory on Kraken

[kenzawak]

https://www.theblockcrypto.com/tiny/kraken-makes-2fa-obligatory-forms-kraken-security-labs/

"Kraken’s Chief Security Officer Nick Percoco has announced changes to the cryptocurrency exchange’s security features. He promises there are more client-facing security enhancements on the way, all a part of a security features roadmap planned out into 2020. Most new features will require enabling by the client to add additional levels of security.

This is the case with Two Factor Authentication. While the feature has been available since Kraken’s launch, it was previously optional. Now, Two Factor Authentication has been made a requirement by the exchange. There are now two options available to the clients—Google Authenticator and YubiKey.

Percoco also announced the formation of Kraken Security Labs. Percoco writes, “The effort is committed to improving the security of the entire cryptocurrency ecosystem by performing vulnerability research against 3rd party products—like hardware wallets, software wallets, and other related technology—and disclosing identified issues in a way that does not jeopardize the security of the industry or our clients, but rather improve security for our clients and the world once the issues are fixed.”

[1713966400]

1713966400

[bitmover]

No doubt 2fa is an essential security feature.

However it's good to notice that Google authenticator is also dangerous to use if you don't make a proper back up of your access keys
I wrote this few time ago

Hello everyone,

In this crypto universe most of us use 2FA (2 factor authentication) in many services, such as mails, exchanges and more.
It's strongly recommended to use 2FA. I use it on almost all my accounts. There are several apps that make 2FA, and the most used is Google Authenticator.

But one thing that many people do not know is the fact that Google Authenticator (GA) does not save your 2FA accounts in your google account. So if you lose your phone you lose access to all accounts linked to your GA (unless the site has some additional recovery mechanism).

So if you use GA it is worth taking at least one of these two precautions:
-You should always note the key when registering an 2FA account. Few people realize, but there is always a sequence of numbers below the QR code (or somewhere else on the website) when you register that account on your GA.
- Register the account on another device, such as a tablet.

An excellent alternative to GA is Authy app. This program works just like GA, but it saves your access accounts. That way, if you lose your cell phone, that's okay, as your data is backed up in the cloud.

Authy has an option to prohibit the registration of new devices. So if someone steals your Auth password, they can not add an additional device, unless if an authorized device allows the registration of new devices to your account.

In theory, GA is safer than Authy, because your data never leaves your phone. But for most cases it's more probable I lose my phone (or it breaks or whatever) than an attacker steals my passwords and my authy account and authorizes a new device. Anyway, using GA taking these precautions mentioned above is a great option.

Edit: Authy also has a google chrome extension, so you can use it on your desktop.

[jhenfelipe]

Security features are available, users just need to enable it. However, there are people who don't realize how important 2FA is until they experience an unknown log in attempt in their account or in the worst case scenario, account being hacked. I think requiring users to enable 2FA is really a good move.

However it's good to notice that Google authenticator is also dangerous to use if you don't make a proper back up of your access keys

I agree. That's why users should take it seriously. Websites provide all the information when setting up 2FA using Google Authenticator. They are doing their part of reminding users to save and make a back up of their key because that's the only way to recover when the phone got broken or lost. Users (including me) should do their part too, it's our responsibility.

[condoras]

Security features are available, users just need to enable it. However, there are people who don't realize how important 2FA is until they experience an unknown log in attempt in their account or in the worst case scenario, account being hacked. I think requiring users to enable 2FA is really a good move.

The problem is that the majority of people think that a good password is enough. Plus that they believe that the site, app, service is the one responsible for the security and not them.
Putting 2FA as a mandatory and not as an option, is probably the best solution. Finally, they realized it on Kraken...

[LeGaulois]

I have always refused to use 2FA and I don't feel the need and I'm not actually interested.
I know it's just an extra security layer but I'm fine and I don't want anything extra. At my own risk, I know it. I don't want to bother to look at how it works, to use a google product and to waste my time searching how to use an alternative that may be not working for all websites.
Trully, that's good for Kraken but not for me, I may ever look at another alternative. Even banks don't use it.

[kenzawak]

I have always refused to use 2FA and I don't feel the need and I'm not actually interested.
I know it's just an extra security layer but I'm fine and I don't want anything extra. At my own risk, I know it. I don't want to bother to look at how it works, to use a google product and to waste my time searching how to use an alternative that may be not working for all websites.
Trully, that's good for Kraken but not for me, I may ever look at another alternative. Even banks don't use it.

On Kraken, the 2-FA can just be a second password, no need to use google authenticator if you don't want to.

[figmentofmyass]

I have always refused to use 2FA and I don't feel the need and I'm not actually interested.
I know it's just an extra security layer but I'm fine and I don't want anything extra. At my own risk, I know it. I don't want to bother to look at how it works, to use a google product and to waste my time searching how to use an alternative that may be not working for all websites.
Trully, that's good for Kraken but not for me, I may ever look at another alternative. Even banks don't use it.

On Kraken, the 2-FA can just be a second password, no need to use google authenticator if you don't want to.

do they still allow a static password for a 2fa? i remember that was true several years ago but i'd be amazed if they haven't removed that option. it's really insecure. proper 2fa is composed of "something you know" (password) and "something you have" (like TOTP authentication on your phone).

i thought this statement from the OP meant you need to use one-time passwords at kraken:

Now, Two Factor Authentication has been made a requirement by the exchange. There are now two options available to the clients—Google Authenticator and YubiKey.

[kenzawak]

I have always refused to use 2FA and I don't feel the need and I'm not actually interested.
I know it's just an extra security layer but I'm fine and I don't want anything extra. At my own risk, I know it. I don't want to bother to look at how it works, to use a google product and to waste my time searching how to use an alternative that may be not working for all websites.
Trully, that's good for Kraken but not for me, I may ever look at another alternative. Even banks don't use it.

On Kraken, the 2-FA can just be a second password, no need to use google authenticator if you don't want to.

do they still allow a static password for a 2fa? i remember that was true several years ago but i'd be amazed if they haven't removed that option. it's really insecure. proper 2fa is composed of "something you know" (password) and "something you have" (like TOTP authentication on your phone).

i thought this statement from the OP meant you need to use one-time passwords at kraken:

Now, Two Factor Authentication has been made a requirement by the exchange. There are now two options available to the clients—Google Authenticator and YubiKey.

I just checked my Kraken security and there is still the static password as a supported method. 

[magneto]

A lot of exchanges are already doing this, and this should have been done way earlier. I'm fairly sure that Binance has been doing this kind of thing for at least a year, since you can't withdraw if I remember correctly until you add a 2FA method.

2FA does not guarantee security, but at least now there is a much less likely probability that hacks will occur into user accounts.

Also, interesting that Kraken haven't added SMS/phone calls as a means of 2fa verification. Perhaps setting that up would present too much of a cost for them? I'm not sure, but there are certainly people who would prefer SMS over authentication apps.

[Kraken-Septimus]

I have always refused to use 2FA and I don't feel the need and I'm not actually interested.
I know it's just an extra security layer but I'm fine and I don't want anything extra. At my own risk, I know it. I don't want to bother to look at how it works, to use a google product and to waste my time searching how to use an alternative that may be not working for all websites.
Trully, that's good for Kraken but not for me, I may ever look at another alternative. Even banks don't use it.

Hi LeGaulois. I would highly suggest reading up on 2FA. What happens if your email is compromised? The hacker could very easily see that you're signed up for cryptocurrency exchanges, request your username & password, log into your account and take the balance in it's entirety. Even if your email has a very long and strong, randomly generated password that doesn't protect you from data breaches affecting your email accounts.

do they still allow a static password for a 2fa? i remember that was true several years ago but i'd be amazed if they haven't removed that option. it's really insecure. proper 2fa is composed of "something you know" (password) and "something you have" (like TOTP authentication on your phone).

i thought this statement from the OP meant you need to use one-time passwords at kraken:

Now, Two Factor Authentication has been made a requirement by the exchange. There are now two options available to the clients—Google Authenticator and YubiKey.

Hi figmentofmyass. Static passwords are still an option, but aren't recommended if you have access to Google Authenticator or Yubikey. As you mentioned, they are the least secure option out of the three.

Also, interesting that Kraken haven't added SMS/phone calls as a means of 2fa verification. Perhaps setting that up would present too much of a cost for them? I'm not sure, but there are certainly people who would prefer SMS over authentication apps.

Hi magneto. While I should never say never, it's extremely unlikely that Kraken will ever offer SMS/phonecall 2FA. If this is the only option on other websites, it's better than no 2FA, but it's certainly not as secure as other methods. On Kraken the most secure option would be a Yubikey, followed by Google Authenticator.

[LeGaulois]

@Kraken-Septimus
It's on my to-do list once I finish sending some documents to get verified to the next membership.
As for getting an email compromised, yeah it's a valid point. But I'm using a private email and there is no password so a hacker can't log in