2fa 2fa 2fa. No 2fa and you can kiss your coins goodbye. Not sms 2fa. Authenticator only. If you use gmail make sure to have 2fa enabled - not sms. Make sure gmail is not forwarding your mail, no third party access, lock it down. Use a dedicated account just for business.

You can lock down everything in kraken. Best do it. Thieves are everywhere.