SEBI, on December 3rd, 2018, released a circular (PDF) highlighting the need for stock brokers and depository participants to maintain robust cyber security and a cyber resilience framework to protect the integrity of data and guard against breaches of privacy. This came into force on 30th September 2022, when brokers across the industry started offering various forms of 2FA. Zerodha has offered external TOTP 2FA support since 2018.
2FA is a subset of MFA (Multi-factor authentication). The different factors are typically classified like this and 2FA requires at least two distinct factors from this.
- What a person knows (a password, PIN, or a secret)
- What a person has in their possession (an identifiable physical device like a phone, a smartcard or a hardware token)
- What you are (biometric)
Thus, the combination of password and a PIN are not valid 2FA. A PIN is merely a numerical password that a person remembers.
The new Kite App Code
When you login to Kite web:
1FA – You are prompted for your username and password (what you know).
2FA – You are prompted to enter the App Code that pops up on your logged in session on the Kite App on your mobile device. The Kite mobile app has a mandatory biometric device lock, so in fact, it also acts as 3FA (What you have; your phone with the cryptographically authenticated Kite session. What you are; biometric). Again, it is imperative that biometric device lock here is enabled to enforce true 2FA.
The Kite mobile App Code internally uses the cryptographic TOTP mechanism. For ease of use, this is integrated directly into the Kite app. When you login to Kite web and enter your password, the 2FA App Code, which is only valid for a few seconds, pops up on your authenticated Kite mobile app on your phone. The significant majority (~99%) of our users who use Kite web also use Kite mobile, so this is a seamless experience.
The first login to Kite mobile requires a username and password (1FA) and an SMS OTP (2FA), after which, the biometric device lock kicks in for subsequent 2FA.
If you do not use the Kite mobile app, then you can set up an external TOTP app. This is typically done by using one of the many external TOTP options (BitWarden, Authy, Google Authenticator, Microsoft Authenticator, etc). It involves scanning a dynamically generated QR code on the Kite web app with the external TOTP authenticator. From then on, Kite web and Kite mobile will prompt for the external TOTP upon login, which the authenticator will produce. These TOTP codes only live up to a few seconds. The authenticator apps require no internet connection and the TOTP codes are generated cryptographically on the device with no data transmission.
How external TOTP / Kite mobile App Code is better than SMS
SMS is the most commonly used form of 2FA across industries. However, unlike other industries, capital markets have some peculiarities that have an impact on SMS has a 2FA mode. Active traders and investors not only use, but login to trading platforms daily, as users are forcibly logged out at the end of the day as per regulations.
Around the market opening every day, millions of users log into trading platforms within a short period of time. This can also happen during volatile instances at any point in the day without warning. Sending tens of thousands of SMSes per second via telcos carrying a time-sensitive login OTP has several problems.
- The regulation for forced daily log out, the phenomenon of tens of thousands of users logging in per second, every day, is unique to the broking industry.
- The criticality of login to a trading platform is extremely high. A delayed SMS OTP which prevents a user from logging in and squaring off a position in a timely manner can be disastrous. This disaster can happen on a large scale on a volatile day and can affect millions of users.
- Non-delivery and late delivery of SMS OTPs are known problems. This is guaranteed to be exacerbated in a situation where millions of SMS OTPs must be sent within seconds, causing many users to be locked out of trading platforms.
Thus, SMS OTPs for 2FA in the specific context of trading platforms pose a high risk for large numbers of users. Kite mobile’s App Code and external TOTP support have been built with careful consideration.
We actively assist our clients and investigations by law enforcement agencies with cases of account takeover, fraud, and unauthorized hacking. Numerous such cases over the years boil down to these top reasons in order.
- Users willingly sharing their login credentials with unscrupulous parties who promise to trade on their behalf and generate returns.
- Users unknowingly sharing their login credentials via social engineering.
- Users unknowingly sharing their login credentials on a phishing website.
- Using an e-mail service with weak security where the user’s e-mail box is compromised, and an attacker is able to use the e-mail box to do a password reset to gain access to the trading platform. We have had to block clients from using e-mails with insecure providers to prevent rampant targeting of our users.
To keep your account safe:
- Use a long password that is not used anywhere else. Short phrases and sentences make for strong passwords.
- Never share your account credentials with others. Zerodha will never ask for account credentials or OTPs over e-mail, messages, or phone.
- Stay away from people promising to trade on your behalf and promising returns. The significant majority of cyber fraud cases we have assisted with are our clients being defrauded this way.
- Enable a strong device lock on your phone.
- Be extremely cautious when entering credentials into websites opened via links sent to SMSes, e-mails etc. Make sure the address of the webpage is legitimate, for example, *.zerodha.com for any of our portals.