How to secure an Indian trading and demat account: best practices
Securing an Indian trading and demat account comes down to a few controls that block the routes attackers actually use: a strong, offline second login factor, clean device habits, a refusal to enter credentials on pages or calls you did not initiate, a scope-limited DDPI rather than an open-ended power of attorney, and regular monitoring through Zerodha Console so an unauthorised move shows up early. None of these is exotic; the gap is that most accounts run on the weakest available option for each.
This guide sets out those best practices in the order an investor should act on them, names the SEBI rules that sit behind each, and points to the operational how-tos for the steps. It frames the controls as guidance, not a single fixed procedure, because the right mix depends on how you trade and what you have authorised. The platform examples are Zerodha, but the principles apply to any SEBI-registered broker and any CDSL or NSDL demat account.
Conflict-of-interest disclosure. This guide is published by the WebNotes Editorial Team for informational purposes and is written independently. WebNotes operates a Zerodha account-opening referral programme, disclosed on the pages that carry the referral link; this guide does not carry it and earns no referral commission from the practices described here.
Use a strong, offline second login factor
Two-factor login is mandatory, not optional. SEBI’s circular SEBI/HO/MIRSD/DOP/CIR/P/2018/147, dated 3 December 2018, required a second factor for login to online trading accounts, in force from 30 September 2022. SEBI fixed that you must have a second factor; it left the form to the broker. So the security decision you control is which form to use, and the forms are not equal.
Pick an external authenticator TOTP over SMS OTP. A TOTP, the standard behind the Kite app code and external authenticators alike, is computed offline on your device from a stored secret and the clock, so no code travels over a network at login. SMS does the opposite: it depends on a telecom gateway, and Zerodha’s own support note describes SMS as “an insecure, non-encrypted, non-cryptographic protocol” whose contents can be intercepted with nearby hardware, while the SIM “can be hijacked using simple social engineering attacks like phishing” (Zerodha support, as of June 2026). A SIM-swap moves your number to an attacker’s SIM, after which every SMS OTP for the account lands on their phone; there is no equivalent attack on a TOTP because the secret never leaves your device. The full method-by-method comparison is in Kite app code vs TOTP vs SMS OTP .
External TOTP also wins on reliability, which matters for security because it removes the temptation to fall back on the weaker factor. Zerodha logs every client out at the end of each trading day, so everyone logs in again next morning, often around the 9:15 a.m. open. The broker warns that sending tens of thousands of OTP SMSes per second at that moment “may result in non-delivery or delayed delivery,” whereas an offline TOTP is available instantly. Set up the external authenticator and back it up, or store the TOTP secret key when you scan the QR code, so a lost phone does not lock you out; recovery then runs through how to reset 2FA on Zerodha .
Set a strong password and protect the recovery channels
A second factor protects you only if the first factor and the recovery channels are clean too. Use a unique password for your broker that you do not reuse on any other site, so a breach elsewhere cannot be replayed against your trading login. Zerodha’s client password policy sets the minimum; treat it as a floor, not a target. Keep the email and mobile number on the account current and under your control, because the recovery and alert paths run through them; an outdated mobile on the account is both a security gap and a notification blind spot.
Note one safe-by-design detail: Zerodha never emails you a password. The welcome email contains no password at all, by design, so any message that does “send your password” is a phishing attempt; see why the welcome email has no password . Knowing the legitimate flows is itself a defence, because it makes the fakes obvious.
Keep your devices clean
The second factor lives on a device, so the device’s hygiene is part of your account security. Keep the operating system and the Kite mobile app updated, since updates carry security fixes. Enable the device lock, biometric or PIN, on the phone that holds your authenticator or the Kite app; Zerodha notes the Kite app’s mandatory device lock effectively adds a layer on top of the app code. Avoid installing the broker app or an authenticator from anywhere other than the official app stores, and avoid sideloaded or cracked apps on the same device, because a compromised device can read what is on screen, including a live TOTP. Log in to Kite web on machines you control, and log out of shared or public computers rather than relying on the daily forced logout.
Defend against phishing and vishing
Phishing and vishing are the routes that do not need to defeat your TOTP at all; they get you to hand it over. A phishing site impersonates the broker’s login page and captures your user ID, password, and a live code inside its 30-second window. A vishing call impersonates the broker’s support line and talks you into reading an OTP aloud or installing a remote-access app.
The defences are simple and absolute. Check the exact domain in the address bar before entering anything, and reach the login by typing the address or using a saved bookmark, never by following a link in an unsolicited SMS, email, or WhatsApp message. Never share an OTP, a TOTP, or your password with anyone, including someone who says they are from the broker; a broker’s staff never need your OTP or password, because the systems do not require them to. Be wary of any caller who creates urgency, asks you to install an app to “fix” an issue, or claims to need a code to “verify” you. If a call claims to be from the broker, hang up and dial the official Zerodha customer care number yourself; see how to verify a Zerodha call for the check. Treat unsolicited stock tips by SMS or social media as a separate red flag, because they often precede a manipulation or impersonation attempt; you can stop stock-tip SMS and read whether Zerodha solicits fund transfers (it does not) to calibrate what a genuine message looks like.
Prefer a scope-limited DDPI over an open-ended POA
What you authorise the broker to do with your holdings is a security setting in its own right. The older instrument was a power of attorney (POA), which could be broad. SEBI replaced it for the delivery use case with the Demat Debit and Pledge Instruction (DDPI), which is scope-limited: it authorises the broker to debit securities only when you sell them, and to handle pledge for margin, and nothing wider. The narrower the authorisation, the smaller the damage any compromise can do. If you still run on an old POA, the POA to DDPI transition and how to convert POA to DDPI explain the switch. DDPI is also not strictly required: you can authorise each sale through the CDSL TPIN and eDIS flow instead, which adds a per-transaction OTP and keeps the broker out of standing authorisation entirely, at the cost of more friction. Either way, understand what you have signed; an unreviewed open-ended POA is the single largest authorisation exposure on many accounts.
Monitor the account through Console
Monitoring turns a silent compromise into a caught one. Zerodha Console is the back office where your holdings , positions , and funds statement are visible; review them regularly so an unfamiliar debit, an unexpected position, or a fund movement you did not make shows up while you can still act. Read the CDSL consolidated account statement and keep transaction SMS alerts on, because a debit or login you did not initiate is exactly the kind of event you want flagged the moment it happens. Zerodha also sends notifications for a new-device login , a login from a different city , and multiple incorrect 2FA attempts ; do not dismiss these, because each is a signal someone else may be trying the account.
Review third-party app authorisations
If you use Kite Connect or any third-party tool that logs in through Zerodha, you have granted apps access to your account. An app you authorised once and forgot is standing access. Review the connected apps and revoke any you no longer use or do not recognise; the steps are in how to revoke Kite connected apps . The same discipline applies to TOTP automation for the API: convenient for an algo, but it concentrates your second factor in a script, so guard the script and the secret as you would the account itself; see how to use Kite Connect TOTP automation for the trade-off.
Know the regulatory floor and the escalation path
Your broker is not the only line of defence; SEBI sets a floor and an escalation path. The broker’s own cyber-security obligations sit under the SEBI cyber-security framework , the consolidated CSCRF issued by circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated 20 August 2024, which requires brokers to anticipate, withstand, contain, recover from, and evolve against cyber incidents. The SEBI investor charter and Zerodha investor charter set out your rights and the service standards you can hold the broker to. If something goes wrong and the broker does not resolve it, escalate through SEBI SCORES and the Smart ODR platform; the grievance escalation matrix maps the full ladder. Knowing this path is part of security, because it is what you fall back on when prevention fails.
If you suspect a compromise
Act fast and in order. Reset your password and your second factor immediately to lock out anyone with current access. Revoke any unfamiliar connected apps so a hostile integration cannot continue operating. Contact the broker through the official support channel, not a number from a search result or a message. If unauthorised transactions occurred, document them from Console, raise a complaint with the broker, and escalate through SCORES or Smart ODR if the resolution is unsatisfactory. The faster the reset, the smaller the window an attacker has to move securities or funds.
See also
- Zerodha
- Kite by Zerodha
- Kite web
- Kite mobile app
- Kite app code
- Kite app code vs TOTP vs SMS OTP
- Zerodha cyber-security
- Is Zerodha safe
- Zerodha hack and security incidents
- How to reset 2FA on Zerodha
- How to recover your Kite password
- Zerodha client password policy
- Why the welcome email has no password
- How to verify a Zerodha call
- How to stop stock-tip SMS from Zerodha
- Does Zerodha solicit fund transfers
- POA to DDPI transition
- How to convert POA to DDPI
- Zerodha eDIS TPIN OTP
- Zerodha Console
- Console holdings report
- Console funds statement
- CDSL consolidated account statement
- Zerodha trade SMS alerts
- Zerodha new-device login notification
- How to revoke Kite connected apps
- Kite Connect API
- SEBI investor charter
- Zerodha investor charter
- SEBI SCORES
- Zerodha Smart ODR
- Investor grievance escalation matrix
- SEBI
- CDSL
- NSDL
- Demat account
- Trading account
External references
- Zerodha support: How are Kite app code and external TOTP better than SMS OTP?
- Zerodha support: How do I set up Time-based OTP (TOTP) to log in to Kite?
- SEBI: Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities
- CDSL India
- SEBI SCORES
References
- SEBI circular SEBI/HO/MIRSD/DOP/CIR/P/2018/147, dated 3 December 2018, on two-factor authentication for login to online trading accounts (in force from 30 September 2022 after extensions).
- SEBI circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113, dated 20 August 2024, Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities.
- Zerodha support, “How are Kite app code and external TOTP better than SMS OTP?” (as of 20 June 2026).
- SEBI guidelines on the Demat Debit and Pledge Instruction (DDPI) replacing power of attorney for delivery debits.