Bitcoin Forum
December 11, 2019, 04:29:38 AM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: 2-FA is now obligatory on Kraken  (Read 122 times)
kenzawak
Hero Member
*****
Offline Offline

Activity: 658
Merit: 851



View Profile
March 27, 2019, 02:54:10 PM
 #1

https://www.theblockcrypto.com/tiny/kraken-makes-2fa-obligatory-forms-kraken-security-labs/

"Kraken’s Chief Security Officer Nick Percoco has announced changes to the cryptocurrency exchange’s security features. He promises there are more client-facing security enhancements on the way, all a part of a security features roadmap planned out into 2020. Most new features will require enabling by the client to add additional levels of security.

This is the case with Two Factor Authentication. While the feature has been available since Kraken’s launch, it was previously optional. Now, Two Factor Authentication has been made a requirement by the exchange. There are now two options available to the clients—Google Authenticator and YubiKey.

Percoco also announced the formation of Kraken Security Labs. Percoco writes, “The effort is committed to improving the security of the entire cryptocurrency ecosystem by performing vulnerability research against 3rd party products—like hardware wallets, software wallets, and other related technology—and disclosing identified issues in a way that does not jeopardize the security of the industry or our clients, but rather improve security for our clients and the world once the issues are fixed.”

1576038578
Hero Member
*
Offline Offline

Posts: 1576038578

View Profile Personal Message (Offline)

Ignore
1576038578
Reply with quote  #2

1576038578
Report to moderator
1576038578
Hero Member
*
Offline Offline

Posts: 1576038578

View Profile Personal Message (Offline)

Ignore
1576038578
Reply with quote  #2

1576038578
Report to moderator
PLAY NOW
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1576038578
Hero Member
*
Offline Offline

Posts: 1576038578

View Profile Personal Message (Offline)

Ignore
1576038578
Reply with quote  #2

1576038578
Report to moderator
bitmover
Hero Member
*****
Offline Offline

Activity: 686
Merit: 1156



View Profile
March 27, 2019, 03:47:06 PM
 #2

No doubt 2fa is an essential security feature.

However it's good to notice that Google authenticator is also dangerous to use if you don't make a proper back up of your access keys
I wrote this few time ago


Hello everyone,

In this crypto universe most of us use 2FA (2 factor authentication) in many services, such as mails, exchanges and more.
It's strongly recommended to use 2FA. I use it on almost all my accounts. There are several apps that make 2FA, and the most used is Google Authenticator.

But one thing that many people do not know is the fact that Google Authenticator (GA) does not save your 2FA accounts in your google account. So if you lose your phone you lose access to all accounts linked to your GA (unless the site has some additional recovery mechanism).

So if you use GA it is worth taking at least one of these two precautions:
-You should always note the key when registering an 2FA account. Few people realize, but there is always a sequence of numbers below the QR code (or somewhere else on the website) when you register that account on your GA.
- Register the account on another device, such as a tablet.

An excellent alternative to GA is Authy app. This program works just like GA, but it saves your access accounts. That way, if you lose your cell phone, that's okay, as your data is backed up in the cloud.

Authy has an option to prohibit the registration of new devices. So if someone steals your Auth password, they can not add an additional device, unless if an authorized device allows the registration of new devices to your account.

In theory, GA is safer than Authy, because your data never leaves your phone. But for most cases it's more probable I lose my phone (or it breaks or whatever) than an attacker steals my passwords and my authy account and authorizes a new device. Anyway, using GA taking these precautions mentioned above is a great option.

Edit: Authy also has a google chrome extension, so you can use it on your desktop.

jhenfelipe
Hero Member
*****
Offline Offline

Activity: 1316
Merit: 645

CryptoTalk.Org - Get Paid for every Post!


View Profile
March 28, 2019, 09:21:11 AM
 #3

Security features are available, users just need to enable it. However, there are people who don't realize how important 2FA is until they experience an unknown log in attempt in their account or in the worst case scenario, account being hacked. I think requiring users to enable 2FA is really a good move.


However it's good to notice that Google authenticator is also dangerous to use if you don't make a proper back up of your access keys
I agree. That's why users should take it seriously. Websites provide all the information when setting up 2FA using Google Authenticator. They are doing their part of reminding users to save and make a back up of their key because that's the only way to recover when the phone got broken or lost. Users (including me) should do their part too, it's our responsibility.

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.CryptoTalk.org.|.MAKE POSTS AND EARN BTC!.🏆
condoras
Hero Member
*****
Offline Offline

Activity: 1414
Merit: 635


This is what i do. I drink and i know things.


View Profile
March 28, 2019, 10:35:24 AM
 #4

Security features are available, users just need to enable it. However, there are people who don't realize how important 2FA is until they experience an unknown log in attempt in their account or in the worst case scenario, account being hacked. I think requiring users to enable 2FA is really a good move.

The problem is that the majority of people think that a good password is enough. Plus that they believe that the site, app, service is the one responsible for the security and not them.
Putting 2FA as a mandatory and not as an option, is probably the best solution. Finally, they realized it on Kraken...

LeGaulois
Copper Member
Legendary
*
Offline Offline

Activity: 1274
Merit: 1234

Bitcoin Ninja Unregulated Banker Unbanking Folks


View Profile
March 28, 2019, 01:18:50 PM
 #5

I have always refused to use 2FA and I don't feel the need and I'm not actually interested.
I know it's just an extra security layer but I'm fine and I don't want anything extra. At my own risk, I know it. I don't want to bother to look at how it works, to use a google product and to waste my time searching how to use an alternative that may be not working for all websites.
Trully, that's good for Kraken but not for me, I may ever look at another alternative. Even banks don't use it.

kenzawak
Hero Member
*****
Offline Offline

Activity: 658
Merit: 851



View Profile
March 28, 2019, 01:45:47 PM
Merited by LeGaulois (1)
 #6

I have always refused to use 2FA and I don't feel the need and I'm not actually interested.
I know it's just an extra security layer but I'm fine and I don't want anything extra. At my own risk, I know it. I don't want to bother to look at how it works, to use a google product and to waste my time searching how to use an alternative that may be not working for all websites.
Trully, that's good for Kraken but not for me, I may ever look at another alternative. Even banks don't use it.

On Kraken, the 2-FA can just be a second password, no need to use google authenticator if you don't want to.
figmentofmyass
Legendary
*
Offline Offline

Activity: 1232
Merit: 1004



View Profile
March 28, 2019, 05:39:20 PM
 #7

I have always refused to use 2FA and I don't feel the need and I'm not actually interested.
I know it's just an extra security layer but I'm fine and I don't want anything extra. At my own risk, I know it. I don't want to bother to look at how it works, to use a google product and to waste my time searching how to use an alternative that may be not working for all websites.
Trully, that's good for Kraken but not for me, I may ever look at another alternative. Even banks don't use it.

On Kraken, the 2-FA can just be a second password, no need to use google authenticator if you don't want to.

do they still allow a static password for a 2fa? i remember that was true several years ago but i'd be amazed if they haven't removed that option. it's really insecure. proper 2fa is composed of "something you know" (password) and "something you have" (like TOTP authentication on your phone).

i thought this statement from the OP meant you need to use one-time passwords at kraken:

Quote
Now, Two Factor Authentication has been made a requirement by the exchange. There are now two options available to the clients—Google Authenticator and YubiKey.

kenzawak
Hero Member
*****
Offline Offline

Activity: 658
Merit: 851



View Profile
March 28, 2019, 08:19:50 PM
 #8

I have always refused to use 2FA and I don't feel the need and I'm not actually interested.
I know it's just an extra security layer but I'm fine and I don't want anything extra. At my own risk, I know it. I don't want to bother to look at how it works, to use a google product and to waste my time searching how to use an alternative that may be not working for all websites.
Trully, that's good for Kraken but not for me, I may ever look at another alternative. Even banks don't use it.

On Kraken, the 2-FA can just be a second password, no need to use google authenticator if you don't want to.

do they still allow a static password for a 2fa? i remember that was true several years ago but i'd be amazed if they haven't removed that option. it's really insecure. proper 2fa is composed of "something you know" (password) and "something you have" (like TOTP authentication on your phone).

i thought this statement from the OP meant you need to use one-time passwords at kraken:

Quote
Now, Two Factor Authentication has been made a requirement by the exchange. There are now two options available to the clients—Google Authenticator and YubiKey.

I just checked my Kraken security and there is still the static password as a supported method.  Huh
magneto
Hero Member
*****
Online Online

Activity: 1148
Merit: 616

CryptoTalk.Org - Get Paid for every Post!


View Profile
March 28, 2019, 10:15:06 PM
 #9

A lot of exchanges are already doing this, and this should have been done way earlier. I'm fairly sure that Binance has been doing this kind of thing for at least a year, since you can't withdraw if I remember correctly until you add a 2FA method.

2FA does not guarantee security, but at least now there is a much less likely probability that hacks will occur into user accounts.

Also, interesting that Kraken haven't added SMS/phone calls as a means of 2fa verification. Perhaps setting that up would present too much of a cost for them? I'm not sure, but there are certainly people who would prefer SMS over authentication apps.

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.CryptoTalk.org.|.MAKE POSTS AND EARN BTC!.🏆
Kraken-Septimus
Full Member
***
Offline Offline

Activity: 338
Merit: 101


https://support.kraken.com


View Profile WWW
May 01, 2019, 04:46:53 PM
Merited by dothebeats (1)
 #10

I have always refused to use 2FA and I don't feel the need and I'm not actually interested.
I know it's just an extra security layer but I'm fine and I don't want anything extra. At my own risk, I know it. I don't want to bother to look at how it works, to use a google product and to waste my time searching how to use an alternative that may be not working for all websites.
Trully, that's good for Kraken but not for me, I may ever look at another alternative. Even banks don't use it.

Hi LeGaulois. I would highly suggest reading up on 2FA. What happens if your email is compromised? The hacker could very easily see that you're signed up for cryptocurrency exchanges, request your username & password, log into your account and take the balance in it's entirety. Even if your email has a very long and strong, randomly generated password that doesn't protect you from data breaches affecting your email accounts.

do they still allow a static password for a 2fa? i remember that was true several years ago but i'd be amazed if they haven't removed that option. it's really insecure. proper 2fa is composed of "something you know" (password) and "something you have" (like TOTP authentication on your phone).

i thought this statement from the OP meant you need to use one-time passwords at kraken:

Quote
Now, Two Factor Authentication has been made a requirement by the exchange. There are now two options available to the clients—Google Authenticator and YubiKey.

Hi figmentofmyass. Static passwords are still an option, but aren't recommended if you have access to Google Authenticator or Yubikey. As you mentioned, they are the least secure option out of the three.

Also, interesting that Kraken haven't added SMS/phone calls as a means of 2fa verification. Perhaps setting that up would present too much of a cost for them? I'm not sure, but there are certainly people who would prefer SMS over authentication apps.

Hi magneto. While I should never say never, it's extremely unlikely that Kraken will ever offer SMS/phonecall 2FA. If this is the only option on other websites, it's better than no 2FA, but it's certainly not as secure as other methods. On Kraken the most secure option would be a Yubikey, followed by Google Authenticator.

Unlock futures trading with Kraken's Crypto Facilities acquisition!
Do you need support? Please open a ticket here and escalate that ticket using this form.
LeGaulois
Copper Member
Legendary
*
Offline Offline

Activity: 1274
Merit: 1234

Bitcoin Ninja Unregulated Banker Unbanking Folks


View Profile
May 01, 2019, 08:02:23 PM
 #11

@Kraken-Septimus
It's on my to-do list once I finish sending some documents to get verified to the next membership.
As for getting an email compromised, yeah it's a valid point. But I'm using a private email and there is no password so a hacker can't log in

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!