Hi Serpens - thanks for letting us know about this. It's the first I've heard of an issue like this, but we'll look into it.
Hey Dargo,
sometimes the yubikey confirmation does not work. I'm not sure if the problem is the yubikey or if there is another problem.
But when I want to confirm a withdrawal it happens often (~20% of the time), that I get the message "the submitted form has expired" (or something like this, I did not copy the exact wording), even though not more than 15 seconds have passed.
Nonetheless the bitcoins were send. So now it happens,that I thougt the bitcoins were not send and send the amount twice.
Luckily it was one of my addresses so i can send the bitcoins back. But what if it was not my address? So you should fix this issue.
Serpens - Here's the reply I got from one of our devs: If it went through, it wouldn't have seen the form expired message. The form expired message would have prevented double withdrawals of the same request (resubmission of the same form). You probably got the browser resubmit your request page and refreshed the page, got the expired form page, then submitted a new request. Although we understand that people want to send directly from their Kraken account to third parties, it's probably best to fund a wallet you own first and send to third parties from there.
Yubikey is arguably more secure than GA but it's also less reliable and dependent upon network latency/conditions across multiple servers (done by consensus and requires something like at least 2 or
3 of Yubico's servers to approve the code within a very short amount of time).