Security on WebNotes

Does Zerodha solicit fund transfers to personal accounts?

Sat, 20 Jun 2026 00:00:00 +0000

Zerodha does not solicit fund transfers to personal or third-party accounts. Client money moves in only one sanctioned path: from your own registered bank account or UPI into Zerodha’s regulated client-funds pool account, never to an individual’s account, and Zerodha never asks you to transfer money to provide support, to unblock an account, or to release a payout. Any request to send money to a personal or third-party account in Zerodha’s name is fraud, not a Zerodha process, and the regulatory architecture of client funds is built precisely to make the legitimate path the only path money can take.

How to change your Zerodha user ID

Sat, 20 Jun 2026 00:00:00 +0000

No, you cannot change your Zerodha user ID. Zerodha’s own help desk states it plainly: you cannot change or customise your user ID, because it is registered on the exchange to track all your transactions, which makes it permanent and unchangeable. The 12-character user ID , the code such as AB1234 that identifies your account, is not an editable profile field like your email or mobile. It is an exchange-level identifier tied to every trade you have placed. This guide explains why it is fixed, what you can change instead, and how to recover a forgotten ID, which is the real need behind most searches to “change” one.

How to disable TOTP on Zerodha Kite

Sat, 20 Jun 2026 00:00:00 +0000

To disable TOTP on Zerodha Kite , log in, open My profile then Password & security, click Disable external TOTP, enter your Kite login password, and click Disable; the account then reverts to the SMS OTP as its second factor. You cannot switch the second factor off entirely, because two-factor authentication on a trading login is mandated by the exchanges and SEBI.

This is the point most people miss. “Disable TOTP” does not mean “log in with just a password.” It means swap the time-based app code back for the text-message code. One second factor always remains. Zerodha’s support pages are explicit that the OTP step at login cannot be eliminated, only changed in form.

How to enable biometric login on Kite (Touch ID, Face ID, fingerprint)

Sat, 20 Jun 2026 00:00:00 +0000

Biometric login on Kite uses your phone’s own fingerprint, Touch ID, or Face ID, registered in your operating-system settings, which Kite invokes as device lock at login. It is the second authentication factor for the Kite app, mandatory since 23 September 2022, and the biometric never leaves your phone: Zerodha does not store your fingerprint or face data, it asks the OS to confirm an unlock and receives only a pass or fail. If the scan fails, your phone’s PIN, pattern, or passcode is the fallback.

How to enable device lock on the Kite app

Sat, 20 Jun 2026 00:00:00 +0000

Device lock on the Kite app is your phone’s own screen lock, a PIN, pattern, fingerprint, or Face ID, that Kite uses as the second authentication factor when you log in. It is not a separate code you type into the app and it is not optional: device lock for Kite app login has been mandatory since 23 September 2022, because it satisfies the requirement set by the Securities and Exchange Board of India (SEBI ) for two-factor authentication (2FA) on trading-app login. Your lock data stays on your phone; Zerodha does not store it.

How to fix Kite logging out when switching apps

Sat, 20 Jun 2026 00:00:00 +0000

The Kite app logs you out when you switch to another app, such as an authenticator app to copy a time-based one-time password (TOTP), because your device is in power-saving mode or is preventing Kite from running in the background; the operating system kills the backgrounded app and drops your session. Per Zerodha’s own support article, this is a power-management behaviour, not a deliberate security lock that triggers on app switch. The fix is to stop the OS from suspending Kite: turn off power saving, exempt Kite from battery optimisation, or sidestep the switch entirely by using device-lock biometric login instead of TOTP.

How to fix not receiving emails from Zerodha

Sat, 20 Jun 2026 00:00:00 +0000

If you are not receiving emails from Zerodha, the cause is almost always on the delivery side, not Zerodha’s: the mail is in a spam, junk, promotions or archived folder; your email domain (often an office domain) is blocking it; your inbox is full; a forwarding rule is diverting it; or your registered email is wrong or outdated. Zerodha sends few emails by design, so a quiet inbox is sometimes normal, but a genuinely missing statement or alert is usually one of these fixable causes.

How to fix the Invalid TOTP error on Zerodha Kite

Sat, 20 Jun 2026 00:00:00 +0000

The Invalid TOTP error on Zerodha Kite is a clock problem, not a wrong code: Kite rejects the TOTP when the clock on the device running your authenticator does not match network time, so set that phone to automatic or network-provided time and enter a fresh six-digit code. TOTP is time-based; a drift of even a minute makes the app compute the code for the wrong 30-second window, and Kite refuses it.

This is the single most common cause, and it is also the least obvious one, because the code on screen looks perfectly valid. It is valid, for a moment that has already passed or not yet arrived. The fix is to correct the clock on the device that generates the code, which is the phone holding Google Authenticator or Authy, not the computer you are logging in from.

How to freeze and unfreeze your Zerodha demat account

Sat, 20 Jun 2026 00:00:00 +0000

You can voluntarily freeze your own Zerodha demat account , or specific securities within it, against debit, credit, or both, using the CDSL freeze facility. A debit freeze stops the holdings being sold or transferred out, which makes it a direct defence against an unauthorised sale if your login is ever compromised. You execute the freeze by submitting the CDSL freeze/unfreeze request form to Zerodha, eSigned and raised through a support ticket ; CDSL processes it within 72 working hours and charges nothing.

How to log in to Zerodha Console

Sat, 20 Jun 2026 00:00:00 +0000

Zerodha Console is the broker’s reporting and back-office platform at console.zerodha.com, and you log in to it with your Kite credentials by clicking Login with Kite. Console has no username or password of its own. It authenticates every client through the same Kite login system, using the same 12-character user ID , the same password, and the same second factor. This guide covers the exact login flow, why Console and Kite share one credential set, and the access problems that send people looking for help.

How to log in to Zerodha when your mobile is lost

Sat, 20 Jun 2026 00:00:00 +0000

If your registered mobile is lost, you regain Kite access by switching your second factor from SMS OTP to a TOTP authenticator app, which generates the 6-digit login code on any device without an SMS. SMS-based two-factor authentication depends on the SIM in your hand; a lost phone breaks it. The fix is a TOTP authenticator , set up during a password reset that you verify by email rather than SMS. This guide walks that reset-and-switch flow, the change-of-mobile route to restore your number, and the harder case where both your mobile and email are gone.

How to recover a forgotten Kite PIN

Sat, 20 Jun 2026 00:00:00 +0000

The Kite PIN is the 6-digit second factor you enter after your password, and you reset a forgotten one through the Forgot user ID or password flow on kite.zerodha.com. There is no separate Forgot PIN button, because the PIN is part of your login credentials, not a standalone code. Resetting it routes through the same screen that resets the password: user ID, PAN, an OTP on email or SMS, then a new password and a new PIN set together. This guide walks that reset, explains how the PIN relates to the full login, and covers the switch to a TOTP authenticator if you would rather not memorise a PIN at all.

How to recover a lost TOTP on Zerodha Kite

Sat, 20 Jun 2026 00:00:00 +0000

If you lost the phone holding your authenticator, deleted the app, or wiped the device, recover access on Zerodha Kite by clicking Forgot user ID or password? on the login page; verify with your user ID, PAN, and an OTP to your registered email or mobile, set a new password, then re-enrol TOTP under Method 2: External authenticator and scan a fresh QR code. The standard reset is self-service and free; no support ticket is needed unless you have also lost access to both your registered email and mobile.

How to remove the temporary OTP on Kite

Sat, 20 Jun 2026 00:00:00 +0000

You cannot remove the temporary OTP step on Zerodha Kite , because NSE and SEBI require a second authentication factor on every trading login; what you can do is switch the temporary OTP from an SMS-delivered code to an authenticator-generated TOTP , under My profile then Password & security. The OTP step itself is mandatory and stays; only its form is yours to choose.

The phrase “temporary OTP” describes the time-limited one-time password Kite asks for after your password at each login. It is temporary in the literal sense: each code is valid for a short window, about 30 seconds for an authenticator code, then expires. People searching to “remove” it usually mean one of two things: they want to stop the SMS-delivered OTP and use something smoother, or Zerodha issued them a one-off temporary access after a lockout and they want to know how to get back to a normal login. This guide covers both.

How to reset the Zerodha support code (ZPin)

Sat, 20 Jun 2026 00:00:00 +0000

The Zerodha support code, which Zerodha also labels the ZPin or telephone code, is a four-digit identifier that the interactive voice response (IVR) system asks for to authenticate you before it connects your call to a Zerodha support agent. You did not choose it and it is not a login credential. It does one job: it proves the caller is the account holder when the call comes from a number that is not registered on the account. You reset it through Console after a one-time-password (OTP) check, and you can view it any time in the Kite app, Kite web, or Console.

How to respond to a Zerodha email asking you to authorise your holdings

Sat, 20 Jun 2026 00:00:00 +0000

A Zerodha email asking you to authorise your holdings means you sold securities from your demat account without a standing DDPI or POA, so the sale needs your explicit CDSL authorisation before it can settle; you complete it with your CDSL TPIN through the link in the email, before 7:00 PM the same day. This is not a security alert or a problem with your account. It is the depository asking you to approve a specific debit of your own shares, which is required precisely because you have not given the broker a standing instruction to do it for you.

How to respond to an additional-documents email from Zerodha

Sat, 20 Jun 2026 00:00:00 +0000

If Zerodha emails you asking for additional documents during onboarding or re-KYC , the safe response is to verify the email is genuine first, then upload the document only through your own Zerodha login at support.zerodha.com or signup.zerodha.com/rekyc, never through a link in the email, an SMS or a WhatsApp message. A genuine request always corresponds to a pending item visible inside your own logged-in account; if the demand exists only in the email, treat it as phishing.

How to revoke connected apps on Kite

Sat, 20 Jun 2026 00:00:00 +0000

Revoking a connected app on Kite removes a third-party platform’s standing permission to access your Zerodha account. On Kite web you click your client ID, then My Profile, then Apps, then Revoke against the app; on the Kite app you tap your client ID, then Connected Apps, then the app, then Revoke. The action removes that app’s permission to access your trading data and account information, so a platform like Sensibull , smallcase or Streak can no longer read your holdings or place orders until you authorise it again.

How to secure an Indian trading and demat account: best practices

Sat, 20 Jun 2026 00:00:00 +0000

Securing an Indian trading and demat account comes down to a few controls that block the routes attackers actually use: a strong, offline second login factor, clean device habits, a refusal to enter credentials on pages or calls you did not initiate, a scope-limited DDPI rather than an open-ended power of attorney, and regular monitoring through Zerodha Console so an unauthorised move shows up early. None of these is exotic; the gap is that most accounts run on the weakest available option for each.

How to set up TOTP on Zerodha Kite

Sat, 20 Jun 2026 00:00:00 +0000

TOTP, or time-based one-time password, is a six-digit code that an authenticator app on your phone generates offline and refreshes every 30 seconds; on Zerodha Kite you enable it under My profile, Password & security, Enable external TOTP, then scan a QR code with Google Authenticator or Authy so the rolling app code becomes your second login factor in place of the SMS OTP. Setting it up takes about five minutes and costs nothing.

How to set up your password on Zerodha

Sat, 20 Jun 2026 00:00:00 +0000

Zerodha never sends you a ready-made password. When your account opens, the welcome email from welcome@zerodha.com carries your 12-character user ID and a link to set the password yourself, nothing more. The absence of a password in that email is the design, not a delivery failure. This guide walks the first-login setup: opening the welcome email, creating the password, and configuring the 6-digit PIN or TOTP authenticator that the SEBI two-factor rule makes compulsory on every Kite login.

How to stop unsolicited stock-tip SMS and report them

Sat, 20 Jun 2026 00:00:00 +0000

Unsolicited stock-tip and guaranteed-return SMS are stopped through TRAI’s Do Not Disturb framework, reported to TRAI on 1909, and, where they offer investment advice, complained about to SEBI on SCORES . The first thing to be clear on: Zerodha does not send stock tips. It provides no advisory service, so a tip SMS or a guaranteed-return message that uses Zerodha’s name is impersonation or unrelated spam, never a genuine Zerodha communication, and acting on it is the start of a scam, not a trade.

How to unblock a blocked Kite account

Sat, 20 Jun 2026 00:00:00 +0000

Kite blocks your account after five incorrect password attempts, and the block clears only when you reset your login credentials; there is no separate unblock button. Completing the Forgot user ID or password flow sets a new password and unblocks the account automatically. The same applies to a block from repeated incorrect two-factor authentication entries. This guide walks the reset-to-unblock flow, and separates it from two states people confuse with a login block: account dormancy, and a risk-management or suspicious-activity freeze, each of which has a different fix.

How to verify a call or SMS claiming to be from Zerodha

Sat, 20 Jun 2026 00:00:00 +0000

To verify whether a call, SMS, or person claiming to be from Zerodha is genuine, match the calling number against Zerodha’s official published contact list on support.zerodha.com; Zerodha’s genuine calls come only from that list of registered numbers, and a number outside it is not Zerodha. Layer on a behavioural test that does not depend on the number at all: Zerodha staff never ask for your OTP, password, PIN, or KYC documents, never ask you to transfer funds, and never give stock tips over the phone. A caller doing any of these is an impostor regardless of the number on your screen.

How to verify whether an email is genuinely from Zerodha

Sat, 20 Jun 2026 00:00:00 +0000

An email is genuinely from Zerodha only if its sender domain is zerodha.com or one of the ten mailer subdomains Zerodha publishes on its verify-genuine-email support page, and even a genuine email never asks for your password, OTP or PIN. The sender domain, the part of the address after the @ sign, is the one signal a fraudster cannot fake past your email provider’s authentication checks. The logo, the formatting, the tone, the client ID in the body: all of these are copied from real emails and prove nothing.

Kite app code vs external TOTP vs SMS OTP: which second factor to use

Sat, 20 Jun 2026 00:00:00 +0000

Kite offers three ways to satisfy the second factor of a two-factor login: the in-app app code, an external authenticator TOTP, and SMS OTP. An external authenticator TOTP is the most secure and most reliable of the three, because it computes codes offline, removes the SIM and the telecom network from the attack surface, and lets you log in to Kite web without opening the Kite mobile app. The in-app app code is a solid default; SMS OTP is the weakest link and is best treated as a fallback only.

Kite app code: what it is and how it works as a login factor

Sat, 20 Jun 2026 00:00:00 +0000

The Kite app code is a six-digit time-based one-time password (TOTP) generated inside Zerodha’s Kite mobile app that you type into Kite web as the second factor of a two-factor login. After you enter your user ID and password on Kite web, the app shows a code that is valid for 30 seconds; entering it completes the login. Zerodha documents this as the default second factor for clients who have the Kite mobile app and have not switched to an external authenticator.

Why Zerodha blocks Rediffmail email IDs

Sat, 20 Jun 2026 00:00:00 +0000

Zerodha restricts Rediffmail email IDs for two documented reasons: it has observed an increase in cyberattacks targeting Rediffmail accounts, and emails it sends are frequently not delivered to Rediffmail addresses. Because every contract note, statement, OTP and alert reaches you by email, a provider that drops or bounces those messages is a compliance and security problem, not a minor inconvenience. New registrations on Rediffmail are not accepted, and existing Rediffmail accounts are blocked from resetting the Kite password by email.

Zerodha client password and credential policy

Sat, 20 Jun 2026 00:00:00 +0000

Zerodha’s client password and credential policy sets no password in the account-opening welcome email; the client creates the password at first login, and a mandatory second factor, the Kite App Code or an external time-based one-time password (TOTP), sits on top of it under the cyber-security framework SEBI mandated in its circular of 3 December 2018, enforced across brokers from 30 September 2022. The login is therefore two factors deep by design, and the account holder, not the broker, carries the loss from any credential misuse.

Zerodha email: your registered mobile number is blocked

Sat, 20 Jun 2026 00:00:00 +0000

A Zerodha email stating that your registered mobile number is blocked means the number appears on the Telecom Regulatory Authority of India (TRAI) list of inactive or disconnected numbers. SEBI requires every demat account to carry an active mobile number so that one-time passwords and trade alerts reach only the account holder, and Zerodha sends this notice so you update the number before communications start failing. It is a security and compliance message, not a marketing email.

Zerodha IP address shared alert

Sat, 20 Jun 2026 00:00:00 +0000

The Zerodha IP address shared alert is an email Zerodha sends when two or more Zerodha accounts log in from the same device or network and therefore share a single public IP address. Zerodha sends it because, under an NSE compliance rule, brokers capture and report client IP addresses for security and surveillance, and a common IP across accounts is something the broker has to explain to the exchange. The alert asks you to clarify why the accounts share the address; it is a question, not a verdict.

Zerodha login from a different city alert

Sat, 20 Jun 2026 00:00:00 +0000

The Zerodha login from a different city alert is an email, accompanied by a Kite app notification, that Zerodha sends when you log in to Kite from a city or IP address it has not seen on your account before. Zerodha judges location from the IP address of the login request, not from your physical position, so the alert is a prompt to confirm the login was yours, not a statement that someone has broken in. The decision you have to make on receiving it is binary: do you recognise this login, or not?

Zerodha multiple incorrect 2FA notification

Sat, 20 Jun 2026 00:00:00 +0000

The Zerodha multiple incorrect 2FA notification is an alert sent to your registered email and current device when several wrong two-factor authentication entries are made on your Kite login, and the account is blocked after 5 incorrect 2FA entries. The notification warns that the 2FA was entered incorrectly and that your password may be compromised, because whoever was entering the 2FA had already cleared the password stage to reach it. If you made the failed attempts yourself, a credential reset restores access; if you did not, the alert is telling you someone else got as far as your second factor.

Zerodha new device login notification

Sat, 20 Jun 2026 00:00:00 +0000

The Zerodha new device login notification is an alert sent to your registered email and your current device the moment your correct Kite password is entered on a device Zerodha has not seen before, sent before two-factor authentication is completed. It tells you that your login credentials have been entered on a new device, so you can confirm the login was yours or act quickly if it was not. The notification keys on the device, which is what separates it from the login-from-a-different-city alert that keys on IP location.

Zerodha official social media handles and how to spot fakes

Sat, 20 Jun 2026 00:00:00 +0000

Zerodha maintains a published set of official social media handles and domains, fronted by the support handle @zerodhaonline on X and the website zerodha.com , against which any account, message, or link claiming to be from Zerodha can be checked. Zerodha Broking Limited is a SEBI-registered stock broker (SEBI registration INZ000031633), and any handle, group, or app outside its published list, especially one offering tips, guaranteed returns, advisory, or asking for money, is not Zerodha.

Zerodha trade SMS and email alerts from the exchanges

Sat, 20 Jun 2026 00:00:00 +0000

Zerodha trade SMS and email alerts are messages that the stock exchanges, National Stock Exchange , Bombay Stock Exchange and MCX, send directly to a retail client on every day that client trades, as a SEBI investor-protection measure to flag unauthorised trades in the account. The broker does not send them; the exchange does, using the mobile number and email that Zerodha reported to it at account opening. The point of the alert is that you read the SMS, recognise every trade in it, and raise an alarm the same day if a trade appears that you never placed.