Zerodha has moved to PIN, TOTP based 2fa for login!

[_smartz]

More detailed post here: https://zerodha.com/z-connect/zerodha/bulletin-latest-at-zerodha/an-all-new-login-flow-for-kite

Our personal question based 2Factor login system has been a long pending headache. We’ve been unable to replace it for the longest time due to 3rd party legacy systems, but that is now behind us. The new login system provides significant usability and security improvements. Instead of guessable questions and answers, you can now set a 6 digit PIN, like on your phone. This same PIN will soon be implemented across the critical parts of our platforms, along with fingerprint authentication on the upcoming Kite 3.0 mobile app for better security and ease of access. In addition, we now support a mobile authenticator based TOTP system for added security.

 

[forgivenchildofgod]

@_smartz Finally! Was thinking that they were never gonna implement this.

 

[_smartz]

@forgivenchildofgod The Kite app's change log gave some hints that the app now supports pin based 2fa but never found any option to enable that through Kite web/Console.

Now after first login to Kite web it's telling you to set a pin. You can enable app based 2fa on the password and security options.

 

[resjudicata]

@_smartz A good step towards better security. All financial institutions in our country should provide an option to opt in for TOTP based authentication.

 

[forgivenchildofgod]

@resjudicata I wonder why all banks don't implement TOTP based authentiction. I have mentioned this almost every time my bank websites ask me for feedback. Question to developers on this sub, is it too hard to implement?

 

[_smartz]

@forgivenchildofgod Yeah it's pathetic that with just a password anyone can break into my account and see some personal details. Though some banks like HDFC uses cookies, IP address to determine login from a new device and won't let you login untill you verify with OTP.

SBI has Secure OTP app to avail otp in that app only after setting up. Their SBI Card's website login doesn't show any personal info.

DBS Digibank also hides any personal info on their NetBanking until you verify with otp. Then their app requires two otp (EMAIL+SMS) in order to login with a new device.

 

[heartboy]

@_smartz Can i use authy ?

 

[_smartz]

@heartboy Yepp.

 

[heartboy]

@_smartz Great, will check it out. Kuvera also needs it

 

[draugdurdil]

@_smartz Thank God.

 

[gisherjohn]

@_smartz Lesser headache for users.

 

[auntynet]

@_smartz I think the new update will also bring in Fingerprint based authentication. A welcome change.

 

[theloverofgod]

@auntynet Fingerprint is not secure as you think...

 

[muyale]

@_smartz This is sooooo good. I hated typing two answers evrryday. Also they were less secure.