How-to device lock Kite app two-factor authentication 2FA app lock screen lock

How to enable device lock on the Kite app

From WebNotes, a public knowledge base. Last updated . Reading time ~9 min.

Device lock on the Kite app is your phone’s own screen lock, a PIN, pattern, fingerprint, or Face ID, that Kite uses as the second authentication factor when you log in. It is not a separate code you type into the app and it is not optional: device lock for Kite app login has been mandatory since 23 September 2022, because it satisfies the requirement set by the Securities and Exchange Board of India (SEBI ) for two-factor authentication (2FA) on trading-app login. Your lock data stays on your phone; Zerodha does not store it.

This guide explains what device lock is, how it differs from a login PIN (there is no separate Kite app login PIN), the exact one-time setup, the time-based one-time password (TOTP) alternative if you do not want device lock, and the platform-specific points on Android and iOS. The setup takes under five minutes and costs nothing.

Conflict-of-interest disclosure. This guide is published by the WebNotes Editorial Team for informational purposes and is written independently. WebNotes operates a Zerodha account-opening referral programme, disclosed on the pages that carry the referral link; this guide does not carry it and earns no referral commission from the procedure described here.

Step-by-step procedure

The numbered box at the top of this guide gives the sequence. The detail below expands the OS-level lock setup, the Enable now flow, and the five-minute window.

1. Set a screen lock on your phone first

Kite does not invent its own lock; it leans on the one your phone already provides. If your phone has no screen lock yet, set one before you touch Kite. On Android, open Settings, tap Security & LockScreen, then select from Screen lock, Fingerprint and Face unlock. If you pick fingerprint, the phone also asks for a backup pattern, PIN, or password; choose, for example, Fingerprint + PIN. Enter the PIN, verify it by re-entering, tap Next, record your fingerprint on the sensor, and tap Done. On iOS, set a passcode and enable Touch ID or Face ID under Settings; Apple’s own guide covers the per-model steps. For per-version Android instructions Zerodha points to Google’s support page, and for iOS to Apple’s support guide.

2. Open the Kite app and log in

Launch Kite, enter your registered phone number or user ID, enter your password, and tap Login. Kite then asks for the OTP received on SMS or email; enter it. Note that if your phone number is registered against more than one account, you cannot use the number to log in; use the user ID instead.

3. Tap Enable now on the Enable 2FA Security screen

After the OTP step, Kite shows the Enable 2FA Security screen. Tap Enable now to set up device lock. This is a one-time process: once the device is bound, later logins call your screen lock directly without showing this screen again. If you reinstall Kite or switch phones, you run the one-time setup again on the new device.

4. Authenticate with your device lock

Kite then asks you to enter your device lock PIN, biometric or pattern. Authenticate once. This binds your phone’s screen lock to Kite as the second factor. From here on, every Kite login on this phone asks for your password and OTP, then your device lock, and you are in.

5. Avoid third-party lock apps

Use only your phone’s built-in screen lock. Zerodha advises against third-party app-locker tools, because they can interfere with the Kite app login and cause the lock prompt to fail. If you have a separate app-lock utility pointed at Kite, the OS-level device lock is what 2FA needs, not the third-party layer.

6. Complete login within five minutes

There is a session timer on the login flow. You must enter your mobile app code or 2FA within five minutes of entering your login credentials. If you stall past that window, the login expires and you start again from your password. This matters most when you step away mid-login, which is also the trigger for the Kite app logging you out when you switch apps .

How device lock differs from a login PIN

On the Kite app there is no separate four- or six-digit Kite login PIN that you type into the app as a credential. Login is two parts: your password, and a second factor. Device lock is that second factor. It is your phone unlocking, not a Kite-specific code.

This is the point people miss. The “PIN” in device lock is the PIN your phone already uses to unlock, owned by the operating system, not a number Zerodha issued. If you change your phone’s screen-lock PIN in Settings, Kite uses the new one automatically, because Kite only asks the OS “is the user authenticated”, and the OS answers. Compare that with the support code or ZPin , which is a four-digit number Zerodha assigns for IVR authentication on a support call and which is unrelated to login.

The second-factor alternatives are device lock or TOTP, both covered under the Kite app code framework. Neither is a login PIN in the sense of a static numeric password. Read Kite app code: TOTP versus SMS OTP for how the app-internal code and the external authenticator code differ.

The regulatory basis for mandatory 2FA

Zerodha did not make device lock mandatory on a whim. SEBI requires two-factor authentication for login to trading and demat applications, building on the cyber-security and cyber-resilience framework SEBI first set for stock brokers and depository participants in a circular dated 3 December 2018. Brokers across the industry began offering compliant 2FA from 30 September 2022. Zerodha made device lock mandatory for Kite app login from 23 September 2022, per its own bulletin dated 22 September 2022.

Two factors means something you know plus something you have: your password (know) plus your phone with its screen lock (have). A password that leaks in a breach is then not enough on its own to reach your account, because the attacker would also need your unlocked phone or your TOTP seed. This is the same logic behind the risk disclosure on every login and the broader Zerodha cyber security posture.

The TOTP alternative

If you do not want to use device lock, the sanctioned alternative is a time-based one-time password. A TOTP is generated by an authenticator app or a device that supports TOTP, remains valid for about 30 seconds, and refreshes every 30 seconds, so unlike an SMS OTP it needs no network and cannot be intercepted in transit. You set it up under How to set up TOTP at Zerodha , and you can move off it later under How to disable TOTP at Zerodha . If you lose the authenticator, recover it under How to recover a lost TOTP at Zerodha .

One practical note: relying on TOTP on the same phone you trade on means you switch to the authenticator app to copy the code, which can interact with Kite logging you out on app switch . Device lock avoids that switch entirely, because the second factor is your phone’s unlock, not a code in another app.

See also

External references

References

  1. Zerodha support, How to enable device lock on mobile? (as of 20 June 2026).
  2. Zerodha bulletin, Mandatory device lock for Kite app login, 22 September 2022 (effective 23 September 2022).
  3. SEBI, Cyber Security and Cyber Resilience framework for Stock Brokers and Depository Participants, circular dated 3 December 2018 (basis for two-factor authentication on trading-app login).

WebNotes Editorial Team prepares factual how-to guides based on publicly available regulatory documents and broker disclosures. WebNotes is not affiliated with Zerodha Broking Limited. Procedures are subject to change; verify current requirements at support.zerodha.com before acting.

Related articles

Frequently asked questions

What is device lock on the Kite app?
Device lock is your phone’s own screen lock, a PIN, pattern, fingerprint, or Face ID, that the Kite app uses as the second authentication factor at login. The lock data stays on your phone; Zerodha does not store it.
Is device lock mandatory on Kite?
Yes. Device lock for Kite app login has been mandatory since 23 September 2022. It satisfies the SEBI requirement for two-factor authentication on trading-app login. If you do not want device lock, you must set up TOTP instead.
How is device lock different from a login PIN?
There is no separate Kite login PIN on the app. Login is your password plus a second factor. Device lock is that second factor, your phone’s screen lock. It is not a code you type into Kite; it is your OS unlock.
How do I enable device lock on Kite?
First set a screen lock in your phone settings. Then open Kite, log in with your password and OTP, and tap Enable now on the Enable 2FA Security screen. Authenticate with your PIN, pattern, or biometric. It is a one-time setup.
What if I do not want to use device lock?
Set up a time-based one-time password (TOTP) instead. TOTP is generated by an authenticator app and refreshes every 30 seconds. It is the sanctioned alternative second factor for Kite when you do not enable device lock.
Does device lock stop someone with my password from logging in?
Yes, on your phone. Without your phone’s screen lock, the second factor cannot be satisfied on the Kite app, so a password alone will not get an attacker in. This is the point of mandatory two-factor login.
Why does Zerodha not store my fingerprint?
Biometric and lock data are held by your phone’s operating system, not by Kite. The app asks the OS to confirm an unlock; it never receives or stores the fingerprint or face data. This keeps the biometric on the device only.

Reviewed and published by

WebNotes Editorial Team

The WebNotes Editorial Team covers Indian capital markets, payments infrastructure and retail investor procedures. Every article is fact-checked against primary sources, principally SEBI circulars and master directions, NPCI specifications and the official support documentation published by the intermediary in question. Drafts go through a second-pair-of-eyes review and a separate compliance read before publication, and revisions are tracked against the SEBI and NPCI rule changes referenced in the methodology section.

Last reviewed
Conflicts of interest
WebNotes is independent. No relationship with any broker, registrar or bank named in this article.