Log In | Kraken® — Sign In to Your Account

Complete, security-first guidance for signing into Kraken: step-by-step login flows, multi-factor authentication (MFA) options including WebAuthn/FIDO2, account recovery, API key safety, withdrawal protections, troubleshooting, and incident response.

Why secure login matters

Kraken accounts can hold significant cryptocurrency balances and fiat positions — protecting access is critical. Login security combines strong credentials, multi-factor authentication, device hygiene, and platform-level safeguards. Kraken provides advanced options (two-factor via authenticator apps, U2F/WebAuthn hardware keys, account lock features, and withdrawal whitelists) that reduce the attack surface. This guide helps you pick and configure the strongest controls suitable to your needs.

Standard sign-in flow

  1. Open a browser and go to kraken.com (or launch the official Kraken mobile app). Confirm the HTTPS lock and domain before entering credentials.
  2. Click Sign In and enter your registered email address or username.
  3. Enter your password. Use a unique, high-entropy password stored in a reputable password manager.
  4. Complete your configured second-factor authentication: TOTP from an authenticator app or hardware key prompt if you registered one.
  5. After successful login, Kraken may ask for additional verification when performing sensitive actions (withdrawals, adding bank accounts, or high-value trades).

Never enter credentials on suspicious pages. If you receive unexpected password-reset emails, treat them as potential phishing attempts and verify activity directly via the Kraken site.

Choosing strong authentication

Kraken supports multiple 2FA methods. Choose the strongest practical option and combine it with good device practices:

  • WebAuthn / FIDO2 (hardware security keys): The most phishing-resistant option. Register security keys (YubiKey or similar) to confirm logins and MFA challenges. Hardware keys require physical presence and are immune to most remote phishing attacks.
  • TOTP authenticator apps: Use Authy, Google Authenticator, or another secure TOTP app. TOTP is widely supported and more secure than SMS.
  • SMS: Better than no MFA but vulnerable to SIM swap attacks. Use only if stronger options aren't available.

Recommendation: Register both a hardware key and a TOTP method if possible, and securely store any recovery codes provided during setup. Redundancy reduces lockout risk while maximizing security.

Setting up TOTP (authenticator app)

  1. Log into Kraken, go to Security > Two-Factor Authentication.
  2. Select Authenticator App (TOTP) and scan the QR code with your authenticator app or enter the secret manually.
  3. Enter the 6-digit code generated by the app to confirm setup.
  4. Save any backup/recovery codes in a secure offline location (physical safe, encrypted vault).

If you change phones, migrate your authenticator data securely (use app-specific backup features or export/import methods supported by the app). Losing TOTP without recovery codes will require Kraken’s account recovery procedures.

Registering and using hardware security keys (WebAuthn)

Hardware keys provide the strongest login protection. To add a key:

  1. Under Security > WebAuthn in your Kraken account, choose to register a new security key.
  2. Follow prompts and insert or tap the security key when requested. Give the key a clear label (e.g., "YubiKey — Home").
  3. Test the key by logging out and signing back in, using the key when prompted for 2FA.

Keep a secondary backup key stored offline — losing your only hardware key could complicate recovery even if you have TOTP enabled.

Account recovery — lost access to 2FA

If you lose access to your 2FA (lost phone or keys), Kraken’s recovery process is protective by design. Typical steps include:

  1. Use any saved backup codes to regain access immediately.
  2. If no backup codes exist, initiate Kraken’s account recovery. Be prepared to provide identity verification (government ID, proof of address), recent account activity details, and any transaction IDs requested.
  3. Recovery may take time — do not attempt to circumvent the process via less secure avenues or share sensitive data in unverified channels.

Proactively store recovery materials in secure, separated locations to prevent lengthy recovery procedures.

Protecting API keys and programmatic access

Developers and advanced users commonly create API keys for bots and integrations. Secure them by following these rules:

  • Never embed API keys directly in public code repositories or client-side apps.
  • Scope API keys to the minimum permissions needed (read-only for monitoring; restricted trading or withdrawal rights only when strictly required).
  • Use IP whitelisting for API keys where supported to limit access to known servers.
  • Rotate API keys periodically and delete unused keys immediately.

Withdrawal protections & device controls

Kraken offers features to limit unauthorized withdrawals:

  • Withdrawal address whitelisting: Restrict withdrawals to pre-approved addresses so funds cannot be routed elsewhere.
  • Withdrawal delay windows: Enable delays for new withdrawal addresses, giving you time to cancel suspicious requests.
  • Account lock: Use Kraken’s temporary lock features to block account activity while you investigate suspicious logins.

Combine these with strong 2FA and careful device security for layered protection.

Device & browser hygiene

  • Keep your OS, browser, and security software updated to patch vulnerabilities.
  • Use modern browsers with phishing protections and avoid installing untrusted extensions.
  • On desktops, avoid logging in from public or shared computers. If necessary, use a trusted VPN and clear browsing data after the session.
  • Secure mobile devices with PINs, biometrics, and remote wipe capabilities.

Troubleshooting common login issues

Not receiving verification emails

  • Check spam and any email filters. Whitelist Kraken’s domain.
  • Confirm your account email is correct in account settings.
  • If issues persist, contact Kraken Support and provide timestamps and relevant details.

MFA codes failing

  • Ensure your authenticator app has correct time settings (automatic network time recommended).
  • Try backup codes if you saved them during setup.
  • If you have lost both TOTP and hardware keys, start the support-led recovery process.

Unable to use a hardware key

  • Test the key on another device or browser to rule out local problems.
  • Ensure your browser supports WebAuthn and that USB/U2F permissions are allowed.

Incident response — suspected compromise

  1. Change your Kraken password immediately from a secure device if you retain access.
  2. Revoke active sessions and API keys via Security settings.
  3. Enable account lock or withdrawal hold while you contact Kraken Support.
  4. Gather evidence: timestamps, transaction IDs, suspicious emails, and device details to provide to support and law enforcement where necessary.

Act fast but follow secure channels — do not send recovery secrets via email or social media.

Frequently asked questions

Is SMS 2FA acceptable?

SMS is better than no second factor but vulnerable to SIM swap and porting attacks. Prefer TOTP and hardware security keys for stronger protection.

How do I back up TOTP safely?

Save recovery codes in a secure offline place or use an authenticator app that supports encrypted backups. Consider a hardware-backed secure vault for high-value accounts.

What should I do if my API key is exposed?

Immediately delete the exposed key, create a new key with appropriate restrictions, and review recent activity for unauthorized use. If funds were moved, contact Kraken Support immediately.