Kraken: Buy and sell crypto securely

About the sign-in experience

This page explains common components of modern exchange sign-in pages: username/email, password, and multi-factor authentication (2FA). It is inspired by general guidance from exchange documentation, including passkeys and authenticator apps for extra protection.

Email or Username Password

Recommended: enable Two-Factor Authentication (2FA) or passkeys for sign-in. These methods require a second factor such as a hardware security key, passkey, or an authenticator app code for added protection.

Passkeys & Security Keys Use device-bound passkeys or FIDO2 keys for phishing-resistant login.

ISO Security Institutional exchanges publish security practices and independent attestations.

Authenticator Apps Authenticator apps generate time-based codes for secure second-factor authentication.

Proof & Transparency Proof-of-reserves and third-party audits help users evaluate platform practices.

Account Recovery Understand recovery options and backup codes—securely store recovery information offline.

How a secure sign-in typically works

A modern secure sign-in flow usually involves: (1) entering your email/username and password; (2) a second factor such as a passkey, security key, or code from an authenticator app; and (3) optionally confirming the device with a biometric or device PIN. Passkeys and hardware security keys are phishing-resistant because they are cryptographic and registered specifically for the site. Authenticator apps and one-time codes add an extra layer that prevents access even if a password is compromised.

Practical tips

Always enable 2FA (passkey or authenticator) where supported.
Use a unique, strong password and a password manager to store it.
Register multiple recovery methods where supported and keep backups offline.
Do not share login links or one-time codes via chat or email.

Notes on devices and desktop clients

Many exchanges offer desktop applications and mobile apps with device-specific authentication; desktop apps may support advanced features such as native passkeys and hardware key integration for additional security.

When you enable a passkey or register a security key, your browser or device will create a unique credential linked to that specific host. Using passkeys reduces reliance on passwords and increases resistance to phishing attacks. If you switch devices frequently, keep at least one recovery mechanism or backup passkey registered so you can regain access if a device is lost. Always check the platform’s official support pages for step-by-step instructions when enabling or disabling security methods.