Two-factor authentication
Two-factor authentication (2FA) adds a second check on top of your email login, so even someone who got into your email still can't get into Kohana. Turn it on before you fund your account.
Choose a method
Kohana supports several second factors. An authenticator app or a passkey is strongest; SMS is a convenient fallback.
Authenticator app (TOTP), recommended
A free app (Google Authenticator, Authy, 1Password, etc.) generates a 6-digit code that changes every 30 seconds.
- Go to Account → Security → Two-factor authentication.
- Choose Authenticator app.
- Scan the QR code with your app, or enter the setup key manually.
- Type the current 6-digit code to confirm.
- Save your recovery codes (see below).
Passkeys (WebAuthn)
A passkey lets you sign in with your device's fingerprint, face, or a hardware security key. Passkeys are phishing-resistant (they only work on the real Kohana site) and there's nothing to type.
- Go to Account → Security → Passkeys.
- Choose Add a passkey and follow your device's prompt.
- Register more than one (e.g. your phone and a hardware key) so you're never locked out.
SMS codes
Kohana can text you a one-time code. SMS is better than nothing, but it's the weakest option (it can be intercepted or SIM-swapped). Prefer an app or passkey, and keep SMS as a backup.
Recovery codes
When you set up 2FA, Kohana gives you a set of one-time recovery codes. These let you back into your account if you lose your authenticator device.
Store recovery codes offline
Save them somewhere safe and offline, such as a password manager or printed and locked away. Each code works once. Anyone with these codes can bypass your 2FA, so treat them like cash.
Step-up checks for sensitive actions
Even when you're logged in, Kohana asks for a fresh 2FA code before sensitive actions like withdrawals and, where enabled, large trades.
This "step-up" check means a found, unlocked session still can't move your money. The confirmation lasts a short window, then expires.
Troubleshooting
- My code is rejected. TOTP codes are time-based, so make sure your phone's clock is set to update automatically, and enter the current code.
- I lost my authenticator device. Sign in using a recovery code, then remove the old authenticator and set up a new one.
- I lost my device and my recovery codes. Contact support. You'll need to re-verify your identity before access can be restored, and that is deliberate.