Zerodha password policy two-factor authentication TOTP Kite login credential security

Zerodha client password and credential policy

From WebNotes, a public knowledge base. Last updated . Reading time ~11 min.

Zerodha’s client password and credential policy sets no password in the account-opening welcome email; the client creates the password at first login, and a mandatory second factor, the Kite App Code or an external time-based one-time password (TOTP), sits on top of it under the cyber-security framework SEBI mandated in its circular of 3 December 2018, enforced across brokers from 30 September 2022. The login is therefore two factors deep by design, and the account holder, not the broker, carries the loss from any credential misuse.

This is the credential architecture behind every Zerodha login: the Kite trading terminal, Console reporting back office, the Coin mutual fund platform, and the Kite Connect APIs all sit behind one user ID, one password, and one second factor. A reader arriving here usually wants one of four things answered: why no password came in the email, what the password rules actually are, how the second factor works, and what to do when a login fails. This article covers each, with the regulatory basis that fixes the design, and points to the operational guides for resetting a password or 2FA.

Conflict-of-interest disclosure. This guide is published by the WebNotes Editorial Team for informational purposes and is written independently. WebNotes operates a Zerodha account-opening referral programme, disclosed on the pages that carry the referral link; this guide does not carry it and earns no referral commission from the procedure described here.

Why no password arrives in the welcome email

A new Zerodha client commonly searches for the password in the welcome email and finds none. That is deliberate. Zerodha does not email or SMS a password at any point in the account lifecycle, and there is a separate explainer for it at why the Zerodha welcome email has no password .

The reasoning is the threat model. An email inbox is a low-trust store: it is searchable, it syncs to multiple devices, it survives in sent folders and forwards, and it is the single most common target in account-takeover attacks. A password emailed in plaintext would sit there indefinitely, readable by anyone who later gains inbox access. So the credential is never put into that channel. Instead, the client sets the password directly at first login, authenticating through a one-time link or OTP delivered to the registered email and mobile, after which the chosen password is stored only as a salted hash that nobody, including Zerodha staff, can read back.

This also closes a social-engineering route. Because no genuine Zerodha communication ever contains a password, any message that does contain one, or that asks you to confirm one, is fraudulent on its face. The policy makes the rule simple to apply: Zerodha never sends or asks for your password, full stop.

The password: what the policy does and does not specify

The password is the first of two factors, the “something you know”. Zerodha enforces a strength check at the moment you create or change it, and emails a confirmation once the change succeeds. The platform does not publish a fixed numeric formula for minimum length or a mandated mix of character classes in its support documentation, and it does not document a periodic forced expiry for the trading login. Two practical rules follow from the architecture rather than from a published character count.

First, treat the password as a unique secret, never reused. The account is protected by a second factor, but a reused password that leaks from another breached site removes the first layer entirely and hands an attacker a head start. A long passphrase generated and stored in a password manager is the standard answer.

Second, change it the moment you suspect exposure. You can reset at any time from the Kite login screen, and you do not need a current-password prompt to do so; the reset authenticates you through OTPs to your registered contacts. The operational walkthroughs are at how to set up a Zerodha password and how to recover a Kite password . Because losses from credential misuse fall on the account holder under Zerodha’s policies and procedures, the incentive to rotate a possibly leaked password sits squarely with the client.

The second factor: App Code and external TOTP

A password alone cannot log in to any Zerodha platform. Every login demands a second factor, and Zerodha offers two forms of it, both built on the same cryptographic standard.

The Kite App Code is a six-digit, time-based one-time password generated inside the Kite mobile app. When you enter your password on Kite web, the App Code that is currently valid on your phone is the second factor you type in. Each code is valid for 30 seconds and a fresh one replaces it when the window closes, so a code intercepted in transit is useless within half a minute. Because the same TOTP mechanism is integrated into the app you already use, there is no separate authenticator to install for this method.

External TOTP is the alternative for clients who prefer a dedicated authenticator. You set it up by scanning a QR code, or copying the secret key, into an app such as Google Authenticator, after which that app produces the 30-second code at each login. The setup flow lives at how to set up 2FA security on Kite , and the conceptual comparison is on the Kite app code and Kite app code versus SMS OTP pages. Both App Code and external TOTP are stronger than SMS OTP, because a TOTP secret never travels over the mobile network and so cannot be lifted by SIM-swap or SS7 interception, the two attacks that defeat SMS-based one-time passwords.

For the API surface, the second factor is not optional either: Zerodha made 2FA login mandatory to place any order through the Kite Connect APIs with effect from 3 October 2021. The same TOTP that secures the web login anchors automated and programmatic access through the Kite Connect API .

The regulatory basis for mandatory 2FA

The two-factor requirement is not a Zerodha product choice; it is a SEBI mandate. SEBI’s circular of 3 December 2018 set out the cyber-security and cyber-resilience framework for stock brokers and depository participants, requiring controls to protect data integrity and guard against breaches of client privacy. The two-factor authentication obligation under that framework came into force across the industry from 30 September 2022, which is why every broker, not only Zerodha, moved its clients onto a mandatory second factor at login around that date.

This sits inside Zerodha’s wider obligations as a SEBI-registered stock broker , and connects to the investor charter commitments on safeguarding client assets and information. The broader account-level protections, from the cyber-resilience controls to the incident-response posture, are described on the Zerodha cyber security page and the record of past events on Zerodha hack and security incidents .

Where the loss sits if credentials are misused

Zerodha’s policies and procedures place the consequences of credential sharing on the client. The trading login is tied to a unique client code; sharing the user ID, password, or second factor is barred, and the policy states that the client bears the losses arising from credential misuse. That allocation is the reason the password and 2FA policy is strict: the broker builds two factors and refuses to email a credential, and in return the obligation to keep those factors private rests with the account holder.

The practical safeguards that follow are mundane and effective. Never type the 2FA code into a screen that someone has asked you to share over a call; a genuine login never needs a third party to read your code. Never reuse the trading password elsewhere. Reset immediately on any suspicion of exposure through how to recover a Kite password or how to reset 2FA on Zerodha . And verify any caller claiming to be from Zerodha against the published Zerodha customer care number before acting on anything they say.

Login failures and the OTP fallback

The most common credential failure is not a forgotten password but a 2FA code that will not work: a phone left at home, an authenticator out of sync, or a new device. The policy provides a graceful fallback. On the Kite login screen, after entering the password, choose the option for a problem with the mobile App Code, wait fifteen seconds, and request an OTP by SMS or email to your registered contacts. If your mobile number is on the Do Not Disturb registry and the SMS does not arrive, switch to the registered email channel, which is unaffected by DND.

For a deeper recovery, the user ID, the password, and the second factor each have their own reset path: how to recover a Kite user ID , how to recover a Kite password , and how to reset 2FA on Zerodha . Resetting the second factor typically requires re-establishing the App Code on a reinstalled Kite app or re-scanning a fresh TOTP secret, both authenticated against your registered contacts so that nobody who lacks access to your email and mobile can complete the reset.

See also

External references

References

  1. SEBI, Cyber Security and Cyber Resilience framework for Stock Brokers / Depository Participants, circular dated 3 December 2018 (2FA obligation, enforced across brokers from 30 September 2022).
  2. Zerodha support, How to set up 2FA security to log in to Kite web (App Code and external TOTP setup; SMS/email OTP fallback after 15 seconds; DND note) (as of 20 June 2026).
  3. Zerodha support, How Kite app code and external TOTP are better than SMS OTP (30-second code validity; TOTP secret does not traverse the mobile network) (as of 20 June 2026).
  4. Zerodha, Policies and Procedures (unique client code; bar on credential sharing; client bears losses from credential misuse) (last updated 31 July 2025).
  5. Zerodha Kite Connect, mandatory 2FA login to place orders via the Kite Connect APIs, effective 3 October 2021.

WebNotes Editorial Team prepares factual reference articles based on publicly available regulatory documents and broker disclosures. WebNotes is not affiliated with Zerodha Broking Limited. Login flows, security controls, and regulatory requirements are subject to change; verify current requirements at support.zerodha.com before acting.

Related articles

Frequently asked questions

Why does my Zerodha welcome email not contain a password?
Zerodha never sends a password by email or SMS. Emailing a credential would expose it in your inbox, a known attack surface. Instead you create your own password at first login through a one-time reset link or OTP sent to your registered email and mobile.
What is the password format Zerodha requires?
Zerodha does not publish a fixed character formula. The Kite login flow enforces a strength check at the time you set a new password and confirms the change by email. Use a long, unique passphrase not reused on any other site, since the password is only your first of two factors.
Does my Zerodha password expire?
Zerodha does not document a periodic forced password expiry for the trading login. You may change it at any time through the Forgot password flow, and you should reset it immediately if you suspect exposure, since credential-misuse losses fall on the account holder.
What is the difference between the Kite App Code and TOTP?
Both are time-based one-time codes valid for 30 seconds. The Kite App Code is the same TOTP mechanism built into the Kite mobile app, so you read it from the app. External TOTP uses a separate authenticator such as Google Authenticator. Both are stronger than SMS OTP.
What if I cannot get my 2FA code?
On the Kite login screen, choose the Problem with Mobile App Code option, wait fifteen seconds, then request an SMS or email OTP to your registered contacts. If your mobile is on DND and the SMS does not arrive, reset using the registered email instead.
Is the second factor optional?
No. Two-factor authentication is mandatory for every Zerodha login under SEBI’s cyber-security framework, in force across brokers from 30 September 2022. You cannot operate the account with the password alone; the App Code or an external TOTP is required at each new login.
Can Zerodha staff see or reset my password?
Zerodha does not store your password in readable form and staff cannot read it back to you. A genuine reset always goes through the self-service Forgot password flow using OTPs to your own registered email and mobile, never a code dictated to you over a call.

Reviewed and published by

WebNotes Editorial Team

The WebNotes Editorial Team covers Indian capital markets, payments infrastructure and retail investor procedures. Every article is fact-checked against primary sources, principally SEBI circulars and master directions, NPCI specifications and the official support documentation published by the intermediary in question. Drafts go through a second-pair-of-eyes review and a separate compliance read before publication, and revisions are tracked against the SEBI and NPCI rule changes referenced in the methodology section.

Last reviewed
Conflicts of interest
WebNotes is independent. No relationship with any broker, registrar or bank named in this article.