How-to TOTP disable TOTP two-factor authentication Kite login SMS OTP

How to disable TOTP on Zerodha Kite

From WebNotes, a public knowledge base. Last updated . Reading time ~9 min. Level: Beginner.

To disable TOTP on Zerodha Kite , log in, open My profile then Password & security, click Disable external TOTP, enter your Kite login password, and click Disable; the account then reverts to the SMS OTP as its second factor. You cannot switch the second factor off entirely, because two-factor authentication on a trading login is mandated by the exchanges and SEBI.

This is the point most people miss. “Disable TOTP” does not mean “log in with just a password.” It means swap the time-based app code back for the text-message code. One second factor always remains. Zerodha’s support pages are explicit that the OTP step at login cannot be eliminated, only changed in form.

This guide covers the disable flow on Kite web and the Kite app, the exact UI labels, why the SMS OTP cannot be removed, and when you should reset rather than disable.

Conflict-of-interest disclosure. This guide is published by the WebNotes Editorial Team for informational purposes and is written independently. WebNotes operates a Zerodha account-opening referral programme, disclosed on the pages that carry the referral link; this guide does not carry it and earns no referral commission from the procedure described here.

Step-by-step procedure

The infobox above lists the steps. The detail below covers where the setting sits, what confirmation is needed, and the platform differences between Kite web and the Kite app.

1. Log in and open Password and security

On Kite web, log in, click your client ID at the top right, open My profile then Settings, and click Password & security. On the Kite app, tap your client ID, tap Profile, then tap Manage for Password and Security. This is the same panel where you enabled TOTP. If you cannot complete the login because you have lost the authenticator and so cannot produce a current code, this panel is out of reach; skip to the reset section below.

2. Click Disable external TOTP

Click or tap Disable external TOTP. This control appears only when external TOTP is the active second factor. If you do not see it, TOTP is not currently enabled on the account, and there is nothing to disable. In that case the account is already on SMS OTP.

3. Enter your Kite login password

Enter your current Kite login password. The password is the single confirmation Kite requires to turn TOTP off. It does not ask for the current TOTP code, which is deliberate: a password-only confirmation lets you disable TOTP even if the authenticator is misbehaving, as long as you are already inside an authenticated session.

4. Click Disable

Click or tap Disable. Kite turns off external TOTP. From the next login, the password screen is followed by the SMS OTP step again, with the code texted to your registered mobile. If that mobile is on a do-not-disturb (DND) registration and the OTP does not arrive, you can fall back on the email-based password reset, the same route covered under recovery; Zerodha’s support note on disabling TOTP flags the DND case directly.

5. Remove the entry from your authenticator app

Open Google Authenticator or Authy and delete the Kite entry. It no longer authenticates anything once TOTP is disabled, and leaving it in place only invites confusion the next time you open the app and see a code that Kite will not accept. If you re-enable TOTP later, you scan a fresh QR and the app creates a new entry; the old one is dead.

Why you cannot remove two-factor authentication entirely

Disabling TOTP is a switch, not a removal. The reason sits in regulation, not in Zerodha’s product choices.

NSE circular NSE/COMP/52623, dated 14 June 2022 and issued in consultation with SEBI, requires every internet-based trading (IBT) and securities-trading-through-wireless-technology (STWT) platform to authenticate each login with two factors: a knowledge factor (your password) and a second factor from a different category, which may be an OTP, a PIN, a TOTP, or a biometric. A later exchange direction reiterated that the second factor must be requested on each login attempt. This is also why Kite logs you out daily rather than holding an open session: a fresh login means a fresh second factor every time.

Because the rule demands a second factor and never permits zero, Zerodha cannot offer a “password only” mode. TOTP and SMS OTP are the two forms the second factor can take for a retail equity login; the Kite app code is the in-app form of TOTP, and biometric or device lock add a layer on the device without removing the server-side factor. Turn TOTP off and SMS OTP comes back. The framework is part of SEBI’s wider cyber-security and cyber-resilience requirements for stock brokers (SEBI circular dated June 2022, reference 59581); read Zerodha cyber security for how Zerodha applies it.

When to reset instead of disable

The profile disable flow assumes you can log in. If you cannot, because you lost the phone holding the authenticator, deleted the app, or wiped the device, disabling from the profile is impossible, and you should reset instead.

The reset route, reached through Forgot user ID or password? on the login page, verifies your identity with your user ID, PAN, and an OTP to your registered email or mobile, sets a new password, and clears the existing TOTP enrolment so you can set the second factor up again. It is the correct tool when TOTP is in the way of logging in, rather than something you are choosing to switch off from inside the account. The full flow is in How to recover a lost TOTP and How to reset 2FA on Zerodha . If you have lost access to both your email and your mobile, see How to recover a lost email and mobile on Zerodha , because every reset routes through at least one of those two channels.

SMS OTP is weaker, so weigh the switch

Disabling TOTP is a downgrade in security, and it is worth being clear-eyed about why before you do it. An SMS OTP travels over an unencrypted cellular channel, depends on a telecom gateway that can choke at market peaks, and rides on a SIM that can be lost or socially engineered through a SIM swap. A TOTP is computed offline on your device from a shared secret and the clock, with nothing transmitted at login and no SIM in the path. Zerodha recommends the authenticator route for exactly these reasons, set out in Kite app code versus SMS OTP .

The legitimate reasons to disable TOTP are narrow: you are changing phones and want to re-enrol cleanly, you have lost the authenticator and prefer SMS while you sort out a new device, or you find the app code inconvenient and accept the lower security of SMS. If the trigger is only that you changed phones, the cleaner path is to disable, change the phone, then re-enable TOTP on the new device, rather than living on SMS OTP permanently.

See also

External references

References

  1. Zerodha support, How to disable Time-based OTP (TOTP)? (as of 20 June 2026).
  2. Zerodha support, How are Kite app code and external TOTP better than SMS OTP? (as of 20 June 2026).
  3. NSE circular NSE/COMP/52623, dated 14 June 2022, on two-factor authentication for internet-based trading and securities trading through wireless technology, issued in consultation with SEBI.
  4. SEBI, Modification in Cyber Security and Cyber Resilience framework of Stock Brokers and Depository Participants, circular dated June 2022 (reference 59581).

WebNotes Editorial Team prepares factual how-to guides based on publicly available regulatory documents and broker disclosures. WebNotes is not affiliated with Zerodha Broking Limited. Procedures and screen labels are subject to change; verify the current flow at support.zerodha.com before acting.

Related articles

Frequently asked questions

How do I disable TOTP on Zerodha Kite?
Log in to Kite, open My profile then Password & security, click Disable external TOTP, enter your Kite login password, and click Disable. The account then reverts to SMS OTP. You can do this on Kite web or the Kite app.
Can I turn off two-factor authentication on Zerodha completely?
No. You can switch the second factor from TOTP back to SMS OTP, but you cannot remove the second factor altogether. NSE and SEBI rules require two-factor authentication on every trading login, so SMS OTP stays on.
What does my account revert to after I disable TOTP?
It reverts to the SMS OTP. Kite resumes texting a one-time password to your registered mobile number after your password at each login, which is the default second factor before TOTP was enabled.
Do I need to be logged in to disable TOTP?
Yes. Disabling TOTP from the profile needs an active session and your password. If you are locked out because you lost the authenticator, use the Forgot password reset flow instead, which clears TOTP as part of resetting the account.
Is there a charge to disable or re-enable TOTP?
No. Disabling external TOTP, reverting to SMS OTP, and re-enabling TOTP later are all free. Zerodha does not levy any charge on changing your second-factor method.
Will disabling TOTP log me out of other devices?
Disabling TOTP changes the second factor for future logins; it does not by itself terminate active sessions. Kite still enforces its daily logout, so the next login on any device will use the SMS OTP.

Reviewed and published by

WebNotes Editorial Team

The WebNotes Editorial Team covers Indian capital markets, payments infrastructure and retail investor procedures. Every article is fact-checked against primary sources, principally SEBI circulars and master directions, NPCI specifications and the official support documentation published by the intermediary in question. Drafts go through a second-pair-of-eyes review and a separate compliance read before publication, and revisions are tracked against the SEBI and NPCI rule changes referenced in the methodology section.

Last reviewed
Conflicts of interest
WebNotes is independent. No relationship with any broker, registrar or bank named in this article.