Zerodha two factor authentication account blocked TOTP password reset login security

Zerodha multiple incorrect 2FA notification

From WebNotes, a public knowledge base. Last updated 20 June 2026. Reading time ~11 min.

Key facts

What triggers the notification	Multiple incorrect 2FA entries on your Kite login; the notification goes to your registered email and current device
Block threshold	The account is blocked after 5 incorrect 2FA entries; a parallel rule blocks after 5 incorrect password attempts
What the notification warns	That 2FA was entered incorrectly and your password may be compromised, since someone reached the 2FA stage
How to unblock	Reset your login credentials; resetting the password unblocks the account and logs out all active sessions
DND caveat on the OTP	If your mobile is on DND the reset OTP may not arrive by SMS; use your registered email instead
If you lost email and mobile access	Raise a support ticket and submit an e-signed account-modification form to update your contact details

The Zerodha multiple incorrect 2FA notification is an alert sent to your registered email and current device when several wrong two-factor authentication entries are made on your Kite login, and the account is blocked after 5 incorrect 2FA entries. The notification warns that the 2FA was entered incorrectly and that your password may be compromised, because whoever was entering the 2FA had already cleared the password stage to reach it. If you made the failed attempts yourself, a credential reset restores access; if you did not, the alert is telling you someone else got as far as your second factor.

The block is a brute-force defence. A second authentication factor only protects you if an attacker cannot keep guessing it, so Zerodha caps the attempts. After 5 wrong 2FA entries the account locks, mirroring a parallel rule that locks the account after 5 wrong password attempts. Both thresholds exist so that an attacker who has part of your login, the password but not the 2FA, runs out of guesses before they get in. The unblock route in either case is the same: reset your credentials.

This article sets out exactly what triggers the notification, the 5-attempt block threshold and what it means, why the alert frames your password as possibly compromised, the step-by-step unblock route, the DND caveat that trips people up on the reset OTP, and what to do if you have lost access to both your email and mobile. For the standalone unblock walkthrough, see how to unblock a Kite account .

Conflict-of-interest disclosure. This guide is published by the WebNotes Editorial Team for informational purposes and is written independently. WebNotes operates a Zerodha account-opening referral programme, disclosed on the pages that carry the referral link; this guide does not carry it and earns no referral commission from the procedure described here.

What triggers the notification

The notification fires on repeated wrong 2FA entries. When the second factor, your TOTP code, app code or 2FA PIN, is entered incorrectly multiple times during a Zerodha login, the alert goes to your registered email and your current device. Per Zerodha’s documentation, “when the account is blocked, a notification is sent to the registered email ID and the current device,” and it “informs the user that their 2FA has been entered incorrectly and their password may be compromised.”

Note the sequence the alert implies. To be entering 2FA at all, the password stage was already passed. So a string of wrong 2FA attempts is not just a fumbled second factor; it means someone reached the second factor, which they could only do with a working password. That is why the notification raises the password, not just the 2FA: the failure is at the second factor, but the warning is about the first.

The block threshold

The account blocks after 5 incorrect 2FA entries. Zerodha states it directly: “the Zerodha account is blocked after 5 incorrect 2FA entries.” This sits alongside the parallel password rule, where “your Kite account gets blocked after five incorrect password attempts.” Five is the ceiling on either factor.

The cap is the whole point of a brute-force defence. A TOTP code is six digits, a million combinations, but without a limit an attacker could try them in sequence. Capping attempts at 5 means an attacker who has your password but not your second factor exhausts their tries almost immediately and is locked out, while you, who simply mistyped, are inconvenienced for one password reset. The asymmetry favours the defender, which is the design intent. The same logic underpins the new-device login notification , which fires at the password stage so you learn of credential exposure even when 2FA holds; the two alerts cover the two factors in turn.

Why the alert flags your password as compromised

The wording, that your “password may be compromised,” is doing real work and is not boilerplate. If you blocked your own account by mistyping your TOTP, the password line is technically a false alarm; your password is fine, you just fat-fingered the code. But Zerodha cannot tell your fumble from an attack from the server side, and it errs toward the more serious reading, which is the correct security posture.

So the right way to read the alert is conditional. If you know the failed attempts were yours, reset your password to unblock and move on; the password warning does not apply to you. If you did not make those attempts, the warning applies in full: someone passed your password and then failed at your 2FA, which means your password is in the wrong hands even though the 2FA wall held this time. In that case, after you unblock, change your password to a new one rather than reusing the old, and make sure TOTP is enabled so the surviving wall stays in place.

How to unblock the account

Unblocking is a credential reset; there is no separate “unblock” button. Resetting the password clears the block. On Kite web the sequence is:

Visit Kite and click “Forgot user ID or password?”
Enter your user ID and PAN .
Select “Receive on Email” or “SMS”, enter your email ID and the captcha, and click “Reset.”
Enter the OTP received on email or SMS.
Enter the new password and click “Continue.”
Enable two-factor authentication (2FA).

One consequence to expect: “after the password reset, all active sessions are logged out.” That is helpful after a suspected intrusion, because it ends any session an attacker holds, but it means you re-login everywhere afterwards. If, during the reset, the app code or TOTP is not cooperating, you can switch to an SMS or email OTP by clicking the SMS/email OTP option after 15 seconds, then entering the code. You will get a confirmation email once the password is successfully changed. The full reset flow, including the Kite app variant, is in how to recover or reset your Kite password and how to unblock a Kite account .

The DND caveat and lost-access route

The reset depends on an OTP, and the OTP can be the sticking point. If your mobile number is registered under Do Not Disturb (DND), the SMS OTP may never arrive. Zerodha’s guidance is to “reset your password using your registered email ID instead” in that case. The email channel sidesteps the DND block entirely, so when SMS fails, switch to email rather than assuming the reset is broken.

The harder case is losing access to both your registered email and mobile, since the reset OTP has nowhere to go. You cannot self-serve here. Raise a support ticket with Zerodha and update your contact details first; Zerodha requires an e-signed account-modification form to change a registered email or mobile, after which the OTP can reach you and the reset proceeds. If you mistype your credentials enough to see an “Invalid account credentials. N attempts remain” error, re-check that your user ID, PAN and registered contact details are correct before exhausting the remaining attempts. For the broader recovery path when both channels are gone, see how to recover lost email and mobile access on Zerodha .

What can go wrong

Treating a 2FA block as a glitch. If the failed attempts were not yours, the alert means someone passed your password. Reset to a new password and confirm TOTP is on, do not just unblock and reuse the old password.
Waiting endlessly for an SMS OTP on DND. A DND-registered number may never receive the OTP. Switch to the email channel for the reset instead.
Being locked out of both email and mobile. The reset OTP has nowhere to land. Raise a ticket and submit an e-signed account-modification form to update your contact details first.
Exhausting the remaining attempts on a credentials error. If you see “N attempts remain”, verify your user ID, PAN and contact details before trying again, or you compound the block.
Forgetting that the reset logs out every session. After resetting, you must log in again on all devices. This is intended, it ends any attacker session, but plan for the re-logins.

External references

References

Zerodha support, Why was a notification sent for entering multiple incorrect Two Factor Authentication (2FA)? (as of 21 June 2026).
Zerodha support, How to unblock Kite account? (as of 21 June 2026).
Zerodha, Two factor authentication (2FA), Z-Connect (as of 21 June 2026).

Frequently asked questions

Why did I get a notification about entering multiple incorrect 2FA?

Zerodha sends it when several wrong 2FA entries are made on your Kite login. It warns that the 2FA was entered incorrectly and your password may be compromised, since whoever was trying had already passed the password stage to reach 2FA.

After how many wrong 2FA attempts does the account block?

Five. The Zerodha account is blocked after 5 incorrect 2FA entries. A parallel rule blocks the Kite account after 5 incorrect password attempts. Both thresholds exist to stop brute-force guessing of your credentials.

How do I unblock my Kite account after a 2FA block?

Reset your login credentials. Resetting the password unblocks the account. On Kite web, use Forgot user ID or password, enter your user ID and PAN, receive the OTP on email or SMS, set a new password, and re-enable 2FA.

I am not receiving the reset OTP on SMS. What now?

If your mobile number is on DND, the OTP may not arrive by SMS. Reset using your registered email instead. On Kite you can switch to email or SMS OTP after 15 seconds if the app code or TOTP is not working during the reset.

Does resetting the password log out my other sessions?

Yes. After a password reset, all active sessions are logged out. That is useful after a suspected intrusion, because it ends any session an attacker may hold, but it means you will need to log in again on every device you use.

What if I have lost access to both my registered email and mobile?

You cannot self-reset, so raise a support ticket with Zerodha. You will need to update your contact details by submitting an e-signed account-modification form before you can receive the reset OTP and regain access.

Should I worry if I blocked my own account by mistyping 2FA?

If you know you mistyped your own code, the block is just the safety mechanism working, and a password reset restores access. Worry only if you did not make the attempts, because then someone else reached your 2FA stage and your password may be exposed.

Reviewed and published by

WebNotes Editorial Team

The WebNotes Editorial Team covers Indian capital markets, payments infrastructure and retail investor procedures. Every article is fact-checked against primary sources, principally SEBI circulars and master directions, NPCI specifications and the official support documentation published by the intermediary in question. Drafts go through a second-pair-of-eyes review and a separate compliance read before publication, and revisions are tracked against the SEBI and NPCI rule changes referenced in the methodology section.

Last reviewed: 20 June 2026
Conflicts of interest: WebNotes is independent. No relationship with any broker, registrar or bank named in this article.