Kraken vulnerable to session hijacking

Been using Kraken for almost a decade and moved huge amount of money through it, never held it there tho. And after some detailed playing around with its security features saw some glaring vulnerabilities which doesn't seem to be a bug but rather a design which is even more concerning.

First and foremost, while the login option is rather usual for crypto exchanges and from what I can tell safe, IF the bad actor manages to get in, you're screwed.

It's incomprehensible why they'd ask you for your 2FA while ADDING an additional 2FA (authenticator or passkeys) but not while REMOVING it. This lack of step up means that if the perpetrator manages to pull off a session hijacking (with malware on your device most likely), there's not a thing stopping him from changing even the most critical settings of your acc – changing pssw, removing/changing 2 fa, e-mail etc.

Kraken will respond that they have a Master key and GLS settings for this, but imo it's outdated, frictional and not enough – once again you can even remove the master key without any additional authorisation lmao

On top of that, there's no option to make decent back ups for your master pssw, so the risk of being locked out of your acc makes it not worth to even have one. yes, you can back up a simple archaic pssw, but you can't add the second/third passkeys as a master key back up. While GLS setting of locking everything in your account is as archaic and full of friction as it gets.

In the Christ Year of 2025, for such a critical feature as adding a new withdrawal address all they ask is an e-mail confirmation.. no 2fa app, no passkeys, no nothing

And to be precise, it's not even passkeys – it's U2FA, so no safer and more convenient passwordless tech either.

Their whole security system feels very fragmented (another eg, you can add passkeys for login, but not for funding, just TOTP for the latter) and lacks basic logic.

And you don't need to invent a bicycle or be super innovative about this. Just go to binance and look how a flawless security architecture and real passkeys application looks like. Once you add passkeys and turn on Use passkey for all critical actions, you acc becomes virtually unhackable, not to mention convenience. not to mention convienience, you don't need a dozen of other outdated security options as pssw, authenticators, TOTPS, acc lockdowns etc.

So until they solve this I'm done on/offramping with them. It's no 2021 anymore, there are alternatives.