As Kraken’s Chief Security Officer, I’ve spent the past two years building one of the most advanced security programs in the cryptocurrency industry.
While most of my work involves hardening our security behind the scenes, I also work with our Product and Engineering team on a roadmap for client-facing features.
One of our goals is to make it easier for our clients to identify and activate security features that, while optional, really help to lock down their accounts and prevent compromises that could potentially result in a loss of funds.
Two-factor authentication (2FA) for account sign-in is probably the best example of a security upgrade that every client should set up, and we aim to make this process as easy as possible.
Another goal on our road map is to bake more security features directly into our platform that don’t require any set up process for our clients at all.
Today, I’m happy to announce the release of four new security enhancements, available for all clients – Security Shield, Security Checkup, Device Approvals, and Device Management.
The next time you sign in to Kraken you will notice a small shield in the upper right corner of your screen. This shield will indicate the security state of your account and will prompt you to take action. Pulsing red is the lowest possible state and solid green is the best. Go for green, of course!
When you click on the Security Shield, you will have the option to begin a workflow that will walk you step-by-step down the path to a more secure account – from adding sign-in 2FA all the way to enabling the Global Settings Lock. Of course, you don’t have to add every security feature, but Security Checkup is there to help make every step simple and easy for you!
Many account takeovers are done by means of a phishing attack where an attacker intercepts a client’s sign-in credentials and uses them to sign in from the attacker’s own device.
Historically, if you were phished and an attacker obtained your username, password and even dynamic 2FA code (e.g. Google Authenticator code), the attacker could access your account by visiting our sign-in page and quickly entering the credentials you mistakenly provided them.
To combat this specific attack vector, we’ve enabled Device Approvals for all clients starting today.
The next time you sign in, you may see a screen telling you that we’ve detected an unrecognized device. At the same time you are sent an email with a code that you will submit to approve your device.
Note: You will only need to do this for new devices, so if you only access Kraken from a single device, you won’t likely see this step when signing in again.
While there are no silver bullets to combat phishing, we expect device approvals to mitigate roughly 60% of all account takeovers we see today. If an attacker was to phish you in the future, they will not in most cases be able to complete the device approval step.
Note that if the attacker also has access to your email, they might be able to approve their device – this is one of the many reasons to make sure the email associated with your Kraken account is very secure, by adding 2FA there as well.
Once you’ve approved a device, you also need a place to see and manage your devices (and even signed-in sessions). Today, we are also releasing an update to our Security Center that includes Session & Device management.
The Security Center is historically where you’ve changed your password and added 2FA devices for sign-in, funding or trading. Starting today, you’ll also be able to see all your active sessions and approved devices. You can also revoke all or any combination of these as needed.
We have a large number of new security enhancements on the roadmap that will be rolled out throughout the rest of 2020 and 2021. Look for authentication enhancements, more activity logging and alternative methods for receiving critical notifications in future releases.
Chief Security Officer
PS – If you would like to meet me in person, please come to my free Kraken webinar entitled “Covid Security.” The webinar takes place on September 25 at 14:00 UTC.