Hi Drago!
I would like to make a suggestion, could you please add 2fa via email? So if one would make a withdraw, you first send a email with a verification link before the transaction is processed.
The same would be for changing password. Almost every exchange supports 2fa via email, so I guess it shouldn't be to difficult to add it.
I know you support 2fa via google, but not every one has a smart phone and is able to use this method.
Otherwise I am more then happy with kraken, but not being able to have 2fa is the only reason that I am currently not using it for day trading, which is a shame as you are otherwise my favorite exchange.
If I understand what you're asking for, I wouldn't call it 2fa via email. Strictly speaking, 2fa is supposed to be something you own rather than something you know. But if you don't have a 2fa device, then your email is going to be accessible via something known (your password). Email confirmation would in effect be like asking for a second password, and you can set up the equivalent of this on our exchange just by creating a password for login and funding. If you go to Account > Security > Two-Factor Authentication > Account login and funding (setup) > Method > Password, you can set a second password for login and funding. (I just noticed that the verbiage says for login, deposits, and withdrawals, but really it's just for login and withdrawals).
Another thing you can do to secure your account without a two-factor device, either in conjunction with the above, or as an alternative to it, is to use the global settings lock
https://www.kraken.com/help/faq#global-settings-lockWhat this will do is lock your settings so that nobody can change your withdrawal settings (among other things). If an attacker gained access to your account, they could only withdraw to your existing withdrawal accounts (and if you set a password for this, only if they have the password). They could request a settings unlock, but then they'd have to wait for the specified number of days for the unlock to take place. Meanwhile, you'd receive a notification by email that an unlock was requested, and you'd have time to stop the thief before they do any damage.
Be careful with the settings lock though, because if you don't set a master key first
https://www.kraken.com/help/faq#master-keythen even you won't be able to unlock the settings until the specified number of days pass (no, customer support agents won't unlock for you - you just have to wait). If you create the master key first, the master key will allow you to unlock immediately. I'd recommend either not using the master key and setting the unlock to just a day or two (long enough to give you time to react if get you get an email about an unwarranted unlock request, but not so long that you can't stand to wait if you need to unlock), or creating a master key and setting the unlock for a longer period of time. If you go the master key route, this password should be kept in a safe place and *separate* from your other Kraken passwords.
Hope that helps to understand the security options we have for folks without 2fa devices. You can still lock down your account pretty darn well without them. Personally I'd prefer the options above over a simple verification link by email, but we'll consider what we might be able to do with email as well.
Thanks for this information, I have tested it and am quite satisfied. Just as a improvement I would suggest making it more clearer were one has to enter the second password. I tried for hours before I found out that my second password has to be entered in the "one-time only" password section/field.
(or maybe another bug?)