How to set up TOTP on Zerodha Kite

TOTP, or time-based one-time password, is a six-digit code that an authenticator app on your phone generates offline and refreshes every 30 seconds; on Zerodha Kite you enable it under My profile, Password & security, Enable external TOTP, then scan a QR code with Google Authenticator or Authy so the rolling app code becomes your second login factor in place of the SMS OTP. Setting it up takes about five minutes and costs nothing.

You set up external TOTP because SMS one-time passwords fail at the worst moment. Zerodha’s own support pages list the problem: at a market peak, when thousands of time-sensitive OTPs hit the telecom gateways at once, the message arrives late or not at all, and you cannot log in. An authenticator app needs no network connection. It computes the code on the device from a shared secret and the clock, so there is nothing to deliver and nothing to intercept.

This guide covers the enrolment flow on Kite web and the Kite app, scanning the QR code or copying the secret key by hand, the exact UI labels Zerodha uses, the verification email it sends, and how the app code replaces the SMS OTP from the next login onward. It also covers the regulatory basis, because two-factor authentication on every login is not a Zerodha preference; it is a SEBI and exchange mandate.

Conflict-of-interest disclosure. This guide is published by the WebNotes Editorial Team for informational purposes and is written independently. WebNotes operates a Zerodha account-opening referral programme, disclosed on the pages that carry the referral link; this guide does not carry it and earns no referral commission from the procedure described here.

Step-by-step procedure

The numbered infobox above gives the sequence. The detail below expands the parts that catch people out: where the setting lives, the verification email, scanning versus copying the key, and the platform differences between Kite web and the Kite app.

1. Open Password and security in your Kite profile

On Kite web, log in with your user ID and current second factor, click your client ID at the top right, open My profile then Settings, and click Password & security. On the Kite app, tap your client ID, tap Profile, then tap Manage for Password and Security. This is the same panel where you change your password and, later, where you disable TOTP. You must be logged in to reach it. If you cannot log in at all because you have already lost your second factor, do not use this guide; use the password and TOTP reset flow described in How to recover a lost TOTP on Zerodha , which re-enrols TOTP through the Forgot password route instead.

2. Click Enable external TOTP

Click or tap Enable external TOTP. Kite immediately sends a one-time verification code to your registered email address, not to your phone by SMS. This email step is the identity check that authorises the change, so the registered email must be one you can open right now. If your email or mobile on record is stale, fix it first through How to change your email on Zerodha or How to change your mobile number on Zerodha , because every account-security change routes its verification through those two channels.

3. Verify with the email OTP

Enter the OTP from the email and click Verify. Kite then displays a QR code and, below it, a Can’t scan? Copy key link that reveals the secret setup key as text. This QR code and key are specific to your account and to this enrolment attempt. A fresh key is generated each time you start the flow, so do not reuse a QR code or key from a screenshot you took earlier; that is a common cause of the Invalid TOTP error covered in How to fix the Invalid TOTP error on Zerodha .

4. Add the account to your authenticator app

Install the authenticator if you have not already; Google Authenticator, Microsoft Authenticator, and Authy are free on the Google Play Store and the Apple App Store. In the app, choose to add an account, select Scan a QR code, allow camera access, and point the camera at the Kite screen. The app adds an entry labelled with your Zerodha user ID and starts showing a six-digit code that ticks over every 30 seconds.

If the camera will not scan, click Can’t scan? Copy key on Kite, copy the secret key, and use your authenticator’s manual-entry option (Authy calls it “Enter setup key”, Google Authenticator calls it “Enter a setup key”). Paste the key, give the entry a name, and the app generates the same rolling code it would have produced from the QR. The manual key and the QR encode the identical secret; either path lands you in the same place.

5. Enter the generated TOTP and your password

Back on Kite, read the current six-digit code from your authenticator and type it into the TOTP field, along with your Kite login password. Enter the code promptly. It is valid for only the 30-second window in which it is displayed; if it is about to roll over, wait for the next code and enter that one instead. Kite checks the code against the secret it just shared with your app.

6. Click Enable

Click or tap Enable. Kite confirms that external TOTP is active, and on the app you get a notification confirming the setup. From your next login, the password screen is followed by a TOTP field, and you read the code from your authenticator instead of waiting for an SMS. The SMS OTP path is switched off while external TOTP is on.

How TOTP replaces the SMS OTP

Before you enable external TOTP, your second factor is the SMS OTP : after your password, Kite texts a code to your registered mobile and you type it in. After you enable external TOTP, that text stops and Kite asks for the authenticator code instead. You hold one second factor at a time, not both.

The mechanism is different in a way that matters. An SMS OTP is generated on Zerodha’s side and delivered to you over the cellular network, an unencrypted channel that depends on a telecom gateway and a working SIM. A TOTP is generated on your side: your authenticator app and Zerodha’s server share a secret once, at enrolment, and from then on both compute the same six-digit code independently from that secret and the current time, in 30-second steps. Nothing travels over the air at login. There is no message to delay, drop, or intercept, and no SIM to swap. That is why Zerodha describes the authenticator route as cryptographically secure and free of the SMS gateway as a single point of failure.

The Kite mobile app code is the same TOTP mechanism wrapped into the app itself: if you run the Kite app, the app generates the code internally and you approve it on the phone. External TOTP exists for the users who do not run the Kite app, or who prefer to keep their second factor in a dedicated authenticator. Read Kite app code and Kite app code versus SMS OTP for how the in-app code and the external authenticator relate.

Regulatory basis for two-factor authentication

Two-factor authentication on a trading login is not optional and not a Zerodha product decision. NSE circular NSE/COMP/52623, dated 14 June 2022 and issued in consultation with SEBI, requires a second factor of authentication on every login to an internet-based trading (IBT) or securities-trading-through-wireless-technology (STWT) platform. The factors are a knowledge factor (your password) plus a second factor that is a possession or biometric factor: an OTP, a PIN, a TOTP, or a biometric, distinct from the password. A follow-up exchange direction reiterated that the second factor must be sought on each login attempt, which is why Kite asks for it every time and logs you out daily rather than keeping a session open indefinitely.

This sits inside SEBI’s wider cyber-security and cyber-resilience framework for stock brokers and depository participants (SEBI circular dated June 2022, reference 59581), which obliges intermediaries to harden client authentication. TOTP satisfies the second-factor requirement with a stronger possession factor than SMS, which is why Zerodha offers and encourages it. For Zerodha’s own account of how it implements security across login and order placement, see Zerodha cyber security and Is Zerodha safe .

Backing up the secret across devices

The secret key behind your TOTP lives in your authenticator app. Lose the phone and you lose the codes, unless the authenticator backs the secret up. Authy syncs encrypted tokens to its cloud, so a second device with Authy shows the same Kite code; Google Authenticator now offers an optional Google-account sync that does the same. There is no way to read the secret back out of Kite after setup, since the QR is shown once per enrolment attempt, so if your authenticator stores secrets only on the device, plan the migration before you wipe the old phone or you will fall back on the reset flow in How to recover a lost TOTP on Zerodha .

When the code is rejected at setup

If Kite returns Invalid TOTP when you click Enable, the cause is almost always a clock mismatch. TOTP depends on the clock of the device running the authenticator matching network time; even a small drift makes the app compute a code for the wrong 30-second window, and Kite rejects it. Set the authenticator phone to automatic or network-provided time before you retry. The full per-device fix is in How to fix the Invalid TOTP error on Zerodha . A second, less common cause is reusing an old QR or key: each enrolment attempt mints a fresh secret, so scan the code currently on screen, not one from an earlier try.

See also

• Zerodha
• Kite by Zerodha
• Kite web
• Kite mobile app
• Kite app code
• Kite app code versus SMS OTP
• How to disable TOTP on Zerodha
• How to recover a lost TOTP on Zerodha
• How to fix the Invalid TOTP error on Zerodha
• How to remove the temporary OTP on Kite
• How to reset 2FA on Zerodha
• How to set up your Zerodha password
• How to recover your Kite password
• How to recover your Kite user ID
• How to log in to Kite if the mobile is lost
• How to enable biometric login on Kite
• How to enable device lock on Kite
• How to secure a trading account
• Zerodha cyber security
• Is Zerodha safe
• Zerodha 12-character user ID format
• SMS OTP
• Two-factor authentication
• Google Authenticator
• Authy
• SEBI
• Zerodha Console
• How to create a ticket at Zerodha
• Zerodha customer care number

External references

• Zerodha support: How do I set up Time-based OTP (TOTP) to log in to Kite?
• Zerodha support: How are Kite app code and external TOTP better than SMS OTP?
• Zerodha Z-Connect: Two-factor authentication (2FA)
• SEBI: Modification in Cyber Security and Cyber Resilience framework of Stock Brokers / Depository Participants (June 2022)
• NSE circulars portal

References

1. Zerodha support, How do I set up Time-based OTP (TOTP) to log in to Kite? (as of 20 June 2026).
2. Zerodha support, How are Kite app code and external TOTP better than SMS OTP? (as of 20 June 2026).
3. NSE circular NSE/COMP/52623, dated 14 June 2022, on two-factor authentication for internet-based trading and securities trading through wireless technology, issued in consultation with SEBI.
4. SEBI, Modification in Cyber Security and Cyber Resilience framework of Stock Brokers and Depository Participants, circular dated June 2022 (reference 59581).

WebNotes Editorial Team prepares factual how-to guides based on publicly available regulatory documents and broker disclosures. WebNotes is not affiliated with Zerodha Broking Limited. Procedures and screen labels are subject to change; verify the current flow at support.zerodha.com before acting.