Two-Factor Authentication on WebNotes

How to disable TOTP on Zerodha Kite

Sat, 20 Jun 2026 00:00:00 +0000

To disable TOTP on Zerodha Kite , log in, open My profile then Password & security, click Disable external TOTP, enter your Kite login password, and click Disable; the account then reverts to the SMS OTP as its second factor. You cannot switch the second factor off entirely, because two-factor authentication on a trading login is mandated by the exchanges and SEBI.

This is the point most people miss. “Disable TOTP” does not mean “log in with just a password.” It means swap the time-based app code back for the text-message code. One second factor always remains. Zerodha’s support pages are explicit that the OTP step at login cannot be eliminated, only changed in form.

How to enable device lock on the Kite app

Sat, 20 Jun 2026 00:00:00 +0000

Device lock on the Kite app is your phone’s own screen lock, a PIN, pattern, fingerprint, or Face ID, that Kite uses as the second authentication factor when you log in. It is not a separate code you type into the app and it is not optional: device lock for Kite app login has been mandatory since 23 September 2022, because it satisfies the requirement set by the Securities and Exchange Board of India (SEBI ) for two-factor authentication (2FA) on trading-app login. Your lock data stays on your phone; Zerodha does not store it.

How to fix the Invalid TOTP error on Zerodha Kite

Sat, 20 Jun 2026 00:00:00 +0000

The Invalid TOTP error on Zerodha Kite is a clock problem, not a wrong code: Kite rejects the TOTP when the clock on the device running your authenticator does not match network time, so set that phone to automatic or network-provided time and enter a fresh six-digit code. TOTP is time-based; a drift of even a minute makes the app compute the code for the wrong 30-second window, and Kite refuses it.

This is the single most common cause, and it is also the least obvious one, because the code on screen looks perfectly valid. It is valid, for a moment that has already passed or not yet arrived. The fix is to correct the clock on the device that generates the code, which is the phone holding Google Authenticator or Authy, not the computer you are logging in from.

How to log in to Zerodha Console

Sat, 20 Jun 2026 00:00:00 +0000

Zerodha Console is the broker’s reporting and back-office platform at console.zerodha.com, and you log in to it with your Kite credentials by clicking Login with Kite. Console has no username or password of its own. It authenticates every client through the same Kite login system, using the same 12-character user ID , the same password, and the same second factor. This guide covers the exact login flow, why Console and Kite share one credential set, and the access problems that send people looking for help.

How to log in to Zerodha when your mobile is lost

Sat, 20 Jun 2026 00:00:00 +0000

If your registered mobile is lost, you regain Kite access by switching your second factor from SMS OTP to a TOTP authenticator app, which generates the 6-digit login code on any device without an SMS. SMS-based two-factor authentication depends on the SIM in your hand; a lost phone breaks it. The fix is a TOTP authenticator , set up during a password reset that you verify by email rather than SMS. This guide walks that reset-and-switch flow, the change-of-mobile route to restore your number, and the harder case where both your mobile and email are gone.

How to recover a forgotten Kite PIN

Sat, 20 Jun 2026 00:00:00 +0000

The Kite PIN is the 6-digit second factor you enter after your password, and you reset a forgotten one through the Forgot user ID or password flow on kite.zerodha.com. There is no separate Forgot PIN button, because the PIN is part of your login credentials, not a standalone code. Resetting it routes through the same screen that resets the password: user ID, PAN, an OTP on email or SMS, then a new password and a new PIN set together. This guide walks that reset, explains how the PIN relates to the full login, and covers the switch to a TOTP authenticator if you would rather not memorise a PIN at all.

How to recover a lost TOTP on Zerodha Kite

Sat, 20 Jun 2026 00:00:00 +0000

If you lost the phone holding your authenticator, deleted the app, or wiped the device, recover access on Zerodha Kite by clicking Forgot user ID or password? on the login page; verify with your user ID, PAN, and an OTP to your registered email or mobile, set a new password, then re-enrol TOTP under Method 2: External authenticator and scan a fresh QR code. The standard reset is self-service and free; no support ticket is needed unless you have also lost access to both your registered email and mobile.

How to remove the temporary OTP on Kite

Sat, 20 Jun 2026 00:00:00 +0000

You cannot remove the temporary OTP step on Zerodha Kite , because NSE and SEBI require a second authentication factor on every trading login; what you can do is switch the temporary OTP from an SMS-delivered code to an authenticator-generated TOTP , under My profile then Password & security. The OTP step itself is mandatory and stays; only its form is yours to choose.

The phrase “temporary OTP” describes the time-limited one-time password Kite asks for after your password at each login. It is temporary in the literal sense: each code is valid for a short window, about 30 seconds for an authenticator code, then expires. People searching to “remove” it usually mean one of two things: they want to stop the SMS-delivered OTP and use something smoother, or Zerodha issued them a one-off temporary access after a lockout and they want to know how to get back to a normal login. This guide covers both.

How to secure an Indian trading and demat account: best practices

Sat, 20 Jun 2026 00:00:00 +0000

Securing an Indian trading and demat account comes down to a few controls that block the routes attackers actually use: a strong, offline second login factor, clean device habits, a refusal to enter credentials on pages or calls you did not initiate, a scope-limited DDPI rather than an open-ended power of attorney, and regular monitoring through Zerodha Console so an unauthorised move shows up early. None of these is exotic; the gap is that most accounts run on the weakest available option for each.

How to set up TOTP on Zerodha Kite

Sat, 20 Jun 2026 00:00:00 +0000

TOTP, or time-based one-time password, is a six-digit code that an authenticator app on your phone generates offline and refreshes every 30 seconds; on Zerodha Kite you enable it under My profile, Password & security, Enable external TOTP, then scan a QR code with Google Authenticator or Authy so the rolling app code becomes your second login factor in place of the SMS OTP. Setting it up takes about five minutes and costs nothing.

How to set up your password on Zerodha

Sat, 20 Jun 2026 00:00:00 +0000

Zerodha never sends you a ready-made password. When your account opens, the welcome email from welcome@zerodha.com carries your 12-character user ID and a link to set the password yourself, nothing more. The absence of a password in that email is the design, not a delivery failure. This guide walks the first-login setup: opening the welcome email, creating the password, and configuring the 6-digit PIN or TOTP authenticator that the SEBI two-factor rule makes compulsory on every Kite login.

How to unblock a blocked Kite account

Sat, 20 Jun 2026 00:00:00 +0000

Kite blocks your account after five incorrect password attempts, and the block clears only when you reset your login credentials; there is no separate unblock button. Completing the Forgot user ID or password flow sets a new password and unblocks the account automatically. The same applies to a block from repeated incorrect two-factor authentication entries. This guide walks the reset-to-unblock flow, and separates it from two states people confuse with a login block: account dormancy, and a risk-management or suspicious-activity freeze, each of which has a different fix.

How to verify whether an email is genuinely from Zerodha

Sat, 20 Jun 2026 00:00:00 +0000

An email is genuinely from Zerodha only if its sender domain is zerodha.com or one of the ten mailer subdomains Zerodha publishes on its verify-genuine-email support page, and even a genuine email never asks for your password, OTP or PIN. The sender domain, the part of the address after the @ sign, is the one signal a fraudster cannot fake past your email provider’s authentication checks. The logo, the formatting, the tone, the client ID in the body: all of these are copied from real emails and prove nothing.

Kite app code vs external TOTP vs SMS OTP: which second factor to use

Sat, 20 Jun 2026 00:00:00 +0000

Kite offers three ways to satisfy the second factor of a two-factor login: the in-app app code, an external authenticator TOTP, and SMS OTP. An external authenticator TOTP is the most secure and most reliable of the three, because it computes codes offline, removes the SIM and the telecom network from the attack surface, and lets you log in to Kite web without opening the Kite mobile app. The in-app app code is a solid default; SMS OTP is the weakest link and is best treated as a fallback only.

Kite app code: what it is and how it works as a login factor

Sat, 20 Jun 2026 00:00:00 +0000

The Kite app code is a six-digit time-based one-time password (TOTP) generated inside Zerodha’s Kite mobile app that you type into Kite web as the second factor of a two-factor login. After you enter your user ID and password on Kite web, the app shows a code that is valid for 30 seconds; entering it completes the login. Zerodha documents this as the default second factor for clients who have the Kite mobile app and have not switched to an external authenticator.

Zerodha client password and credential policy

Sat, 20 Jun 2026 00:00:00 +0000

Zerodha’s client password and credential policy sets no password in the account-opening welcome email; the client creates the password at first login, and a mandatory second factor, the Kite App Code or an external time-based one-time password (TOTP), sits on top of it under the cyber-security framework SEBI mandated in its circular of 3 December 2018, enforced across brokers from 30 September 2022. The login is therefore two factors deep by design, and the account holder, not the broker, carries the loss from any credential misuse.

Zerodha login from a different city alert

Sat, 20 Jun 2026 00:00:00 +0000

The Zerodha login from a different city alert is an email, accompanied by a Kite app notification, that Zerodha sends when you log in to Kite from a city or IP address it has not seen on your account before. Zerodha judges location from the IP address of the login request, not from your physical position, so the alert is a prompt to confirm the login was yours, not a statement that someone has broken in. The decision you have to make on receiving it is binary: do you recognise this login, or not?

Zerodha multiple incorrect 2FA notification

Sat, 20 Jun 2026 00:00:00 +0000

The Zerodha multiple incorrect 2FA notification is an alert sent to your registered email and current device when several wrong two-factor authentication entries are made on your Kite login, and the account is blocked after 5 incorrect 2FA entries. The notification warns that the 2FA was entered incorrectly and that your password may be compromised, because whoever was entering the 2FA had already cleared the password stage to reach it. If you made the failed attempts yourself, a credential reset restores access; if you did not, the alert is telling you someone else got as far as your second factor.

Zerodha new device login notification

Sat, 20 Jun 2026 00:00:00 +0000

The Zerodha new device login notification is an alert sent to your registered email and your current device the moment your correct Kite password is entered on a device Zerodha has not seen before, sent before two-factor authentication is completed. It tells you that your login credentials have been entered on a new device, so you can confirm the login was yours or act quickly if it was not. The notification keys on the device, which is what separates it from the login-from-a-different-city alert that keys on IP location.

How to reset 2FA on Zerodha

Tue, 12 May 2026 00:00:00 +0000

Zerodha requires two-factor authentication (2FA) for all Kite logins. The two options are:

TOTP (Time-based One-Time Password): generated by an authenticator app on your phone (Google Authenticator, Authy, Microsoft Authenticator, or any RFC 6238-compliant app).
SMS OTP: a 6-digit code sent to the mobile number registered with Zerodha.

A 2FA reset is needed when you lose access to your authenticator app (phone replaced, app deleted, app data lost) or when the TOTP codes generated by the app no longer match the expected codes (time-sync issue).