WARNING: Kraken 2FA can be bypassed.

in #kraken8 years ago (edited)

tl;dr: If you are going to use 2FA on Kraken, use it for login and not just withdrawals.

This is a short story about someone I know who lost coins on Kraken recently. They claimed that they had 2FA enabled for withdrawals but that their account was looted. They said that they emailed Kraken but they didn't care to do anything to help rectify the situation.

At first, I thought, that sucks but attributed it to some user error as is normally the case. But, after the Bitfinex hack today, I started to think about what they said about the exchange security on Kraken.

So, I asked someone else with 2FA on Kraken to verify the claim that if you have a username/password and 2FA on withdrawals, you can turn off 2FA without any additional security, thus bypassing it completely. They just confirmed that yes, this does work, and turning off 2FA ask for a 2FA code or even a password.

Fair warning to you all. If you are going to use 2FA on Kraken, use it for login and not just withdrawals.

Sort:  

So the login 2FA cannot be bypassed? Then the title is misleading :)

2fa on withdrawals and trading can be disabled if 2fa is not also enabled for login. not misleading.

Keep up the great work @bitjedi
Upvoted