Two factor authentication (2FA)
Hindi: इस पोस्ट को हिंदी में पढ़ने के लिए यहाँ क्लिक करें।
SEBI, on December 3rd, 2018, released a circular (PDF) highlighting the need for stock brokers and depository participants to maintain robust cyber security and a cyber resilience framework to protect the integrity of data and guard against breaches of privacy. This came into force on 30th September 2022, when brokers across the industry started offering various forms of 2FA. Zerodha has offered external TOTP 2FA support since 2018.
2FA is a subset of MFA (Multi-factor authentication). The different factors are typically classified like this and 2FA requires at least two distinct factors from this.
- What a person knows (a password, PIN, or a secret)
- What a person has in their possession (an identifiable physical device like a phone, a smartcard or a hardware token)
- What you are (biometric)
Thus, the combination of password and a PIN are not valid 2FA. A PIN is merely a numerical password that a person remembers.
The new Kite App Code
When you login to Kite web:
1FA – You are prompted for your username and password (what you know).
2FA – You are prompted to enter the App Code that pops up on your logged in session on the Kite App on your mobile device. The Kite mobile app has a mandatory biometric device lock, so in fact, it also acts as 3FA (What you have; your phone with the cryptographically authenticated Kite session. What you are; biometric). Again, it is imperative that biometric device lock here is enabled to enforce true 2FA.
The Kite mobile App Code internally uses the cryptographic TOTP mechanism. For ease of use, this is integrated directly into the Kite app. When you login to Kite web and enter your password, the 2FA App Code, which is only valid for a few seconds, pops up on your authenticated Kite mobile app on your phone. The significant majority (~99%) of our users who use Kite web also use Kite mobile, so this is a seamless experience.
The first login to Kite mobile requires a username and password (1FA) and an SMS OTP (2FA), after which, the biometric device lock kicks in for subsequent 2FA.
External TOTP
If you do not use the Kite mobile app, then you can set up an external TOTP app. This is typically done by using one of the many external TOTP options (BitWarden, Authy, Google Authenticator, Microsoft Authenticator, etc). It involves scanning a dynamically generated QR code on the Kite web app with the external TOTP authenticator. From then on, Kite web and Kite mobile will prompt for the external TOTP upon login, which the authenticator will produce. These TOTP codes only live up to a few seconds. The authenticator apps require no internet connection and the TOTP codes are generated cryptographically on the device with no data transmission.
How external TOTP / Kite mobile App Code is better than SMS
SMS is the most commonly used form of 2FA across industries. However, unlike other industries, capital markets have some peculiarities that have an impact on SMS has a 2FA mode. Active traders and investors not only use, but login to trading platforms daily, as users are forcibly logged out at the end of the day as per regulations.
Around the market opening every day, millions of users log into trading platforms within a short period of time. This can also happen during volatile instances at any point in the day without warning. Sending tens of thousands of SMSes per second via telcos carrying a time-sensitive login OTP has several problems.
- The regulation for forced daily log out, the phenomenon of tens of thousands of users logging in per second, every day, is unique to the broking industry.
- The criticality of login to a trading platform is extremely high. A delayed SMS OTP which prevents a user from logging in and squaring off a position in a timely manner can be disastrous. This disaster can happen on a large scale on a volatile day and can affect millions of users.
- Non-delivery and late delivery of SMS OTPs are known problems. This is guaranteed to be exacerbated in a situation where millions of SMS OTPs must be sent within seconds, causing many users to be locked out of trading platforms.
Thus, SMS OTPs for 2FA in the specific context of trading platforms pose a high risk for large numbers of users. Kite mobile’s App Code and external TOTP support have been built with careful consideration.
Cyberfrauds
We actively assist our clients and investigations by law enforcement agencies with cases of account takeover, fraud, and unauthorized hacking. Numerous such cases over the years boil down to these top reasons in order.
- Users willingly sharing their login credentials with unscrupulous parties who promise to trade on their behalf and generate returns.
- Users unknowingly sharing their login credentials via social engineering.
- Users unknowingly sharing their login credentials on a phishing website.
- Using an e-mail service with weak security where the user’s e-mail box is compromised, and an attacker is able to use the e-mail box to do a password reset to gain access to the trading platform. We have had to block clients from using e-mails with insecure providers to prevent rampant targeting of our users.
To keep your account safe:
- Use a long password that is not used anywhere else. Short phrases and sentences make for strong passwords.
- Never share your account credentials with others. Zerodha will never ask for account credentials or OTPs over e-mail, messages, or phone.
- Stay away from people promising to trade on your behalf and promising returns. The significant majority of cyber fraud cases we have assisted with are our clients being defrauded this way.
- Enable a strong device lock on your phone.
- Be extremely cautious when entering credentials into websites opened via links sent to SMSes, e-mails etc. Make sure the address of the webpage is legitimate, for example, *.zerodha.com for any of our portals.
After filling appcode before I could click continue..appcode again pops…so unable to login
Hi i have 3 enabled 2fa still 3 everytime it ask me to enable whenever i login is this in ui or just me getting it
2FA App Code
Hi Naveen, you can find the app code here.
Dear Sir,
I am not being able to open my KITE account , whenever trying using my user ID and password it is showing 2FA security key to be given. How this problem can be resolved. I am stuck up at the stage of it is showing enable 2FA security. user Id is EGH102, PL. RESOLVE IT.
Regards
Bandana Pal
Hi Bandana, as per new exchange regulations, it is mandatory to enable TOTP 2Factor login on your account. We’ve explained this here.
Alternatively, you can enable device lock on your mobile, 2FA will not be asked. Here’s how to do it.
CLIENT CODE FLU177
NOT USER FREINDLY APPLICATION
NOT ABLE TO GENERATE QR CODE FOR AUTHENTICATOR
NOT RECOMMENDED FOR SHARE TRADING APPLICATION
FEELS REGRET TO HAVE ACCOUNT IN ZERODHA
Good decision to enable 2FA since it improves security, but you guys sure know to kill ease of use. Need to enter my password+2FA every single time I close my browser because Kite decides to log me out every time I close all my browser windows. It’s a full 30 second login flow multiple times a day now.
Had created a support ticket and also suggested secure alternatives that improve usability. They said they would forward the feedback to Dev team but no update on if the suggestion is being implemented or being discarded by now.
Hi Vishal, we’re getting this checked. You will have an update on your ticket.
I am unable to log in to Kite. After entering my password, I am prompted to enter an OTP. However, once I enter the OTP, a 2FA prompt appears. Even after attaching my fingerprint, the prompt keeps popping up repeatedly, and I am unable to access my account.
Hi Ayush, could you please create a ticket on: https://support.zerodha.com/ with details of the issue, so we can have this resolved at the earliest?
I am unable to log in to Kite. After entering my password, I am prompted to enter an OTP. However, once I enter the OTP, a 2FA prompt appears. Even after attaching my fingerprint, the prompt keeps popping up repeatedly, and I am unable to access my account.
Hi Bhavesh, could you please reinstall the app and recheck? If the issue persists, please create a ticket here so our team can assist you?
2FA App code asking to my zerodha stock market kindly how can I create 2FA Appcode
Hi Ashok, we’ve explained the process here.
I HAVE RECENTLY OPENED DEMAT ACCOUNT IN ZERODHA ….. I AM NOT ABLE TO TAKE THE SECOND PASSWORD … PLEASE EXTEND SUITABLE HELP
H S JALWAN
Hi Jalwan, could you please create a ticket at support.zerodha.com so our team can check and assist?
2FA could not be possible to apply, app not user friendly.
Now completely failed to open my trading account. Stopped trading, you should set 2FA for me , alternatively , I authorise you close my account, not able to Trade since many days.
Hi Saraswathamma, what seems to be the issue that you’re facing while setting up 2FA? could you please create a ticket at support.zerodha.com and elaborate so that our team can check and assist?
Having problem in generating CDSL TIN.
Reporting BO ID & PAN not matching
Hi Rachaprolu, could you please create a ticket here so that our team can check and assist?
I am handling 3 accounts of my family members. Now it’s very difficult to look after all the accounts.
How can I do this as efficient as before with this system.
You can use Google authenticator where on same mobile you can have multiple 2FA for multiple accounts
I had paid the account opening fees of 200 rupees. No follow up no reply.
😀
I wish to have 40 FAs, these will do the best.
What if I don’t want to set password/finger print requirement for unloking my phone???
3FA is not enough you atleast need 10 FA or 20 FA so actual user cannot place the orders
What if mobile phone is lost for some reason and I do not have access to the Kite App for the code, then how to login to Kite Web?
Hey Shweta, in such a situation you can reset the password by following the steps given here and enable external TOTP for your account.
Most of these TOTP apps can be installed on your laptop/desktop too.