How-to lost mobile sms otp totp change mobile two-factor authentication

How to log in to Zerodha when your mobile is lost

From WebNotes, a public knowledge base. Last updated . Reading time ~9 min. Level: Intermediate.

If your registered mobile is lost, you regain Kite access by switching your second factor from SMS OTP to a TOTP authenticator app, which generates the 6-digit login code on any device without an SMS. SMS-based two-factor authentication depends on the SIM in your hand; a lost phone breaks it. The fix is a TOTP authenticator , set up during a password reset that you verify by email rather than SMS. This guide walks that reset-and-switch flow, the change-of-mobile route to restore your number, and the harder case where both your mobile and email are gone.

The principle to hold is that two routes exist depending on what you have lost. If only the phone is gone but you can still reach your registered email, you reset and switch to TOTP yourself in minutes. If you have lost access to both the registered email and the registered mobile, you cannot self-serve; you must update your contact details first, which Zerodha verifies and applies within 72 working hours. Everything below maps to one of those two cases.

Conflict-of-interest disclosure. This guide is published by the WebNotes Editorial Team for informational purposes and is written independently. WebNotes operates a Zerodha account-opening referral programme, disclosed on the pages that carry the referral link; this guide does not carry it and earns no referral commission from the procedure described here.

Step-by-step procedure

The numbered box at the top gives the sequence. The H3 sections below expand the TOTP switch and the contact-update route, the two parts that decide whether you self-serve or wait on support.

1. Reset the password through email verification

Go to kite.zerodha.com and click Forgot user ID or password. Enter your User ID and PAN. On the channel choice, select Receive on E-mail rather than SMS, since SMS would go to the lost phone. Enter your registered email and the captcha, click Reset, then enter the OTP from the email and set a new password. This gets you past the password without ever needing the mobile. If the mobile is merely on DND rather than lost, the same email route applies, because a number on DND may not receive the OTP. For the full reset detail see how to recover a Kite password .

2. Switch the second factor to TOTP

After the password, you reach the 2FA setup. Select Method 2: External authenticator and click Setup TOTP. This is the step that removes your dependence on the lost phone, because a TOTP code is computed on the device that holds the key, not sent over SMS. Install Google Authenticator or Authy on a device you control, click Can’t scan? Copy key, and paste the key into the app. The app starts generating a rotating 6-digit code. Enter the current code in the Enter the 6 digit app TOTP field and click Continue. See how to set up TOTP on Zerodha for the full TOTP path and how to recover a lost TOTP if you later lose the authenticator itself.

3. Log in with TOTP and verify

Click Login here to continue. Log in with your user ID, the new password, and the live 6-digit code from the authenticator. No SMS is involved at any point. A clean login confirms the second factor has moved off the lost device. If you chose Authy, its cross-device backup means the same token restores onto a future phone, so a second lost-phone event will not lock you out again; this is the practical reason to prefer a backed-up authenticator over an unbacked one or over SMS. Read TOTP versus SMS OTP for that trade-off in full.

4. Update your registered mobile number

You are now logged in but your account still points at the lost number for SMS alerts and any future SMS-based verification. Update it. The online change-of-mobile process needs your mobile linked to Aadhaar; otherwise you submit an offline form. Follow how to change the registered mobile at Zerodha for the exact procedure. Restoring the number matters because trade and margin alerts, and some reset paths, still route over SMS even when your login uses TOTP.

The both-lost case: contact update first

If you have lost access to both the registered mobile and the registered email, you cannot reset the password yourself, because every reset channel sends a verification code to one of them. The route is to update your contact details first, then reset. The online update requires your mobile number to be linked with Aadhaar so identity can be verified; if it is not, you use the offline route by submitting the change-of-contact form. Zerodha updates the new mobile and email within 72 working hours after successful verification, and only then can you run the standard password reset against the new details. Read how to recover lost email and mobile at Zerodha for the full both-lost procedure, and how to change the registered email for the email side.

This is the one case where a support ticket is unavoidable. Raise it through how to create a ticket at Zerodha , or if you cannot log in at all, how to create a ticket without login . Expect the 72-working-hour window rather than an instant fix, because the verification protects against an attacker using a “lost contact” claim to seize an account.

Why TOTP is the durable answer

SMS OTP ties your login to a single SIM. Lose the phone, port the number, travel without signal, or land on a DND list, and the code does not arrive. TOTP removes all of that: the 6-digit code is generated by an algorithm seeded with a key only you hold, computed locally on the device, with no network round trip. An authenticator app such as Authy backs the seed up to your account, so a new phone restores every token. For a trading login that controls funds and a demat account , the resilience matters more than the small convenience of SMS. Once you have been locked out by a lost phone once, moving to a backed-up TOTP is the change that prevents a repeat.

What to check after you regain access

Confirm the registered mobile and email now show the correct, current values in your profile . Confirm the second factor is the TOTP app you set, not the old SMS path. If you received a credentials-reset alert that you did not initiate, or any login-from-a-new-device notice you do not recognise, treat it as a security event: Zerodha sends a confirmation by email and SMS on every reset for exactly this reason. Review how to secure a trading account and, if you suspect compromise, how to block a Zerodha account due to suspicious activity .

See also

External references

References

  1. Zerodha support, How to log in to Kite if mobile lost or if mobile is not used? (TOTP setup via email-verified reset, as of 20 June 2026).
  2. Zerodha support, How can the Zerodha account password be reset without having access to the linked mobile number and email ID? (contact update within 72 working hours, as of 20 June 2026).
  3. Zerodha support, What to do if I lose access to my TOTP authenticator app? (Authy cross-device backup, as of 20 June 2026).
  4. SEBI circular SEBI/HO/MIRSD/DOP/P/CIR/2022/76, dated 3 June 2022, on two-factor authentication for online trading account access.

WebNotes Editorial Team prepares factual how-to guides based on publicly available regulatory documents and broker disclosures. WebNotes is not affiliated with Zerodha Broking Limited. Procedures and screens are subject to change; verify the current flow at support.zerodha.com before acting.

Related articles

Frequently asked questions

How do I log in to Kite if I lost my registered mobile?
Set up a TOTP authenticator instead of SMS OTP. Reset your password through Forgot user ID or password using email verification, choose External authenticator on the 2FA screen, add the key to an app like Authy, and log in with the rotating code.
Can I get the Zerodha OTP on email instead of SMS?
Yes, for the password reset. On the Forgot user ID or password screen, choose Receive on E-mail to get the verification OTP by email. For login itself, switch your standing second factor from SMS-based to a TOTP authenticator app.
What if I have lost access to both my mobile and email?
You must update your contact details before you can reset the password. Do it online if your mobile is Aadhaar-linked, or offline by form. Zerodha verifies and updates the new mobile and email within 72 working hours, then you reset the password.
Will losing my phone lock me out permanently?
No. A TOTP authenticator removes the dependence on your phone for SMS. If you used Authy, its cross-device backup restores the codes on a new phone. If you used SMS or an unbacked app, reset to TOTP through the email route.
How do I update my registered mobile at Zerodha?
Use the change-of-mobile route. The online process needs your mobile linked to Aadhaar; otherwise you submit an offline form. See how to change the registered mobile at Zerodha for the full procedure and timelines.
Why use TOTP instead of SMS OTP?
TOTP generates the 6-digit code on your device with no network or SIM dependency, so it survives a lost phone if the app is backed up, works without signal, and cannot be intercepted over SMS. It is the more resilient second factor at Zerodha.
Does the password reset alert me by SMS and email?
Yes. Zerodha sends a confirmation by both email and SMS whenever the credentials are reset. If you did not initiate the reset, treat the alert as a possible unauthorised access attempt and contact support.

Reviewed and published by

WebNotes Editorial Team

The WebNotes Editorial Team covers Indian capital markets, payments infrastructure and retail investor procedures. Every article is fact-checked against primary sources, principally SEBI circulars and master directions, NPCI specifications and the official support documentation published by the intermediary in question. Drafts go through a second-pair-of-eyes review and a separate compliance read before publication, and revisions are tracked against the SEBI and NPCI rule changes referenced in the methodology section.

Last reviewed
Conflicts of interest
WebNotes is independent. No relationship with any broker, registrar or bank named in this article.