How to Set Up Two-Factor Authentication on Kraken

Kraken holds real money. A compromised Kraken account can result in immediate and irreversible financial loss. Two-factor authentication is non-negotiable for any crypto exchange account.

Kraken's 2FA Security Levels

Kraken offers two separate 2FA layers: one for sign-in and another for withdrawals. Use both for maximum protection.

Enable Sign-In 2FA

1. Log in to Kraken and go to Security → Two-factor authentication
2. Under Sign in two-factor, click Set up
3. Choose Authenticator app (TOTP) — this is the most secure option
4. Scan the QR code with your authenticator app or paste the key into 2faco.com
5. Enter the 6-digit code to verify
6. Write down your backup codes

Set a Master Key (Optional but Recommended)

Kraken's Master Key is an additional password required to change security settings. This prevents an attacker from disabling 2FA even if they compromise your account password.

1. Go to Security → Master key
2. Set a unique, memorable password distinct from your login password

Enable Withdrawal 2FA

1. Go to Security → Two-factor authentication → Withdrawal two-factor
2. Set up a second TOTP entry using a different authenticator app entry or a different account in your authenticator
3. This means even if your sign-in 2FA is compromised, funds cannot be withdrawn

Summary

• ✓ Enable TOTP 2FA for sign-in
• ✓ Set a Master Key to protect security settings
• ✓ Enable a separate 2FA for withdrawals
• ✓ Save backup codes offline

Why Kraken Requires Robust 2FA

Kraken is one of the largest cryptocurrency exchanges. Your Kraken account controls real funds and connects to bank accounts or other withdrawal methods. Unlike a hacked email account (which you can recover), cryptocurrency transactions are irreversible. A compromised Kraken account with a pending withdrawal cannot be undone after the fact. Kraken's multi-layer 2FA approach reflects this — you can configure different 2FA requirements for different action types.

Kraken's Master Key

Kraken supports a "Master Key" — a passphrase you set that is required to change security settings on your account. This is separate from your login password and provides an extra barrier against an attacker who has already obtained your password. Set a Master Key from Security → Master Key. Store it in a password manager along with your login password.

Global Settings Lock

Kraken offers a Global Settings Lock (GSL), which prevents changes to your security settings (including 2FA method, withdrawal addresses, and API keys) without a 24-hour waiting period. This means even if an attacker gains full account access, they cannot immediately change your withdrawal address and drain funds — you get a window to detect and respond. Enable it under Security → Global Settings Lock.

Setting Up Different 2FA for Different Actions

Kraken uniquely allows you to configure separate 2FA methods for sign-in, trading/funding, and API key access. You could use an authenticator app for login, a hardware key for withdrawals, and a different TOTP for API access. This separation means compromising one factor does not automatically compromise all actions. Configure this under Security → Two-factor authentication.

Kraken API Keys and 2FA

If you use trading bots or third-party portfolio trackers connected to Kraken, secure your API keys carefully. Create dedicated API keys with only the permissions the tool needs (read-only for trackers, trade-only without withdrawals for bots). Set an IP restriction on the key if the tool runs from a fixed IP. Rotate API keys periodically and delete unused ones from Security → API.