OTP/ Fingerprint as 2FA for Zerodha login?

@nithin Allow me to share a suggestion.
Most of us find it irritating to answer the 2 random security questions while logging in. Today, most of the smartphones have fingerprint sensor. What if the 2FA is taken care of with Fingerprint verification? For mobiles not having a fingerprint sensor, a Whatsapp web kind of scan QR code to verify can do the job.
Typing is so 90’s. The login UX needs to be simplified.

10 Likes

supporting fingerprint login will be an easy task , but not sure about android …

Good Suggestion.

These two broker Login with these details.

  1. SBI don’t even have this 2FA
    ( User ID, Password, PAN Number)

  2. Ventura also don’t even have this 2FA
    (User ID, Password, PIN, PAN Number, DOB)

I don’t think this Biometric Thumb verification is must have For Login.

smartphones already require Pattern lock, Thumb verification, Face detection, password & PIN for unlocking of Cellphone.

Without unlocking Cellphone no one can use Cellphone and App is accessible only after unlocking.

Also, This feature is only convenient for Mobile Users.
Web Users Or who trade on Laptop/Desktop not convenient for them.

For now Most requested features are:-

  1. Price Alerts
  2. Trade from Chart
  3. Options strategy calculator
  4. List of active stock Display in Kite.
  5. Issue related to chart should be solved.
  6. Server error on High Volume days.

And After all this if your choice is for Thumb verification for identification.
I would Suggest to go with the Iris recognition

3 Likes

:joy: :joy:

Indirectly, u are supporting to give your sensitive personal information to zerodha.

Aastha offers realtime sms alerts for every executed order. That’s a great feature.

I support security question answers which acts as an extra layer of protection. But its vulnerable to keylogger.

Only 1 thing is sufficient. For logging into account, it should require existing password + OTP.

A new OTP each time a user logs into trading account. This feature is there in kotak netbanking.

1 Like

sote nai kya bhai?

1 Like

2FA is mandatory as per SEBI/Exchanges. 2FA can be questions or something like DOB+PAN. I think the questions are simpler. Finger print can be implemented, but there is still no regulatory approvals for it.

6 Likes

People Have Crore rupees in their online Bank account and they are still typing just Username & Password.

Hi,

You can use the user id and password only to view account details in the bank, to transact you still need an OTP, the suggestion I can give you in case of kite/pi is keep a strong password and Keep the answers for all the 2FA questions as the same, could be a single letter or number. That way, whatever questions come up you don’t have to think to answer.

Cheers,
Lindo

First of all, Happy Makar Sankranti to all. May your ‘Kite’ soar high in the sky! :slight_smile:
Now, let me explain it further:-

  1. When a user is signing up for Zerodha, he sincerely answers those questions, considering them to be used only in case of rescue i.e. “forgot password”. That’s the general perception of such questions being asked.
    You may verify this by running a DB query of average string length of the answers for these questions. I am guessing 6-8 characters on an average it would be. The user is not prepared for the questions being asked every time he logs in. Which irritates him and thus evokes negative emotion.

  2. To understand in a simple way, consider it a highway, a user first encounters a toll booth where he types his Client ID and password and the moment he thinks of speeding up, encounters another toll booth, here every time he has to type in different answers. He is not prepared for what would be asked while his mind is actually somewhere else in market-news, trade. This to me is a roadblock thinking from UX principles.
    You may run a DB query to know how many times an average user logs into Zeroda every day. That many times the system provokes a negative emotion with this roadblock. You will be able to quantify the problem with this.

  3. Chrome or other browsers attempt to save the answer of the last question as the password, everytime you log in, which is wrong, and thus you have to type in all details every time you log into Zerodha. And if you don’t save the password, it asks you to save it and you have to cancel that browser notification every time.
    31 PM

Consider the number of daily logins and so is the number of extra clicks to cancel/close this notification.

Thus, the current login UX journey is:-
characters being typed for clientID +
characters typed for password +
1 click on login button (or enter key) +
typing answer for question1 +
typing answer for question 2 +
1 click on login button (or enter key) +
1 click on cancel the save password browser notification.

UX-wise, this definitely needs an improvement.

  1. Some people have suggested a cheat by answering ‘1’ or a single character for these questions so as to easily key in that single character and get over the 2FA but this is mere a jugaad and actually defeats the purpose of 2FA security. And is compromising account security as well. In my opinion, this is not a solution at all.

  2. I understand 2FA is a mandate by the regulators. But it could be implemented in a much better way. I can think of:-

A. OTP:- So after providing client ID and password, the system sends him a mobile OTP which he has to enter to continue. But this would incur in an additional SMS cost. Considering the volume of daily logins, it would add to your cost. Alternatively, OTP can be sent to registered email address.

B. IN-app TOTP:- Similar to Google Authenticator app, what if the Kite App provides a TOTP (time-based OTP). So when a user logs in, he has to type the OTP displayed in his Kite app. This will also ensure downloads of the Kite App. So Web and Mobile App would work in sync for the 2FA.

C. Biometric:- Once the user provides his Client ID and password, the system asks him to verify his fingerprint on his Kite app. Thus again Web and Mobile work in tandem for 2FA. No need to type in with this option. ClientID and password would be saved in his browser. He clicks on “login” and touches the fingerprint sensor of his mobile and it lets him in.

The above UX improvements will act as growth hacking by taking away that negative emotion, will increase new sign-ups, and may increase in trade volumes as well.

Would like to hear from you now.

1 Like

After biometric scans like fingerprint or Iris, we can have DNA scan?

A user will have to match his DNA samples on realtime basis. Zerodha can offer pin needle for pinching a small drop of blood collection & zerodha can pioneer realtime DNA sampling, first of its kind in entire world.

:smile: :joy: :rofl:

Guys , I believe an OTP authentication is enough n more than sufficient. Every time a user logs in should require to provide OTP alongwith existing password.

Even if your password gets keylogged on public computer / network or even on pvt computer, network. You will still be safe.

And offcourse one should regularly update n change his password after every 2 weeks or 4 weeks.

Actually OP meanf finger print login to be used so that we can login to Zerodha easily, not for additional security.

2FA is bit annoying :frowning:

Motilal Oswal asks for DOB/PAN number as additional measures of security. No questions and no answers. I don’t think the OTP approach is good. What if you want to initiate a trade seeing an opportunity and you are not getting an OTP in time? I think they should just get rid of these qna and instead ask for only DOB/PAN number on the login screen itself.

1 Like

Anyone can get to know your DOB & PAN which can be misused. But security Q & A are known only to you.

Regarding OTP, it can offer best security feature if used everytime time during logging into trading account.

Zerodha should offer 2 way security option while logging in using existing password.

1st - Log in using security Q & A
or
2nd - Log in using OTP.

I mean zerodha can offer an option to all users while logging in. A user should select either - Validate using security Q & A , or validate using OTP.

In case a trader is in a hurry to log in then he can use security Q&A to validate otherwise he can use OTP.

1 Like

IIFL has fingerprint login for Mobile phones.

So for trading account one can just login with fingerprint pattern. It will be easy if Kite comes up with fingerprint login on mobile phones.

Looks Like that day is not far away when Zerodha will have all the features of each and every broker which exist on Earth.

All the very best to Zerodha.
I am sure this will bring more value customers to Zerodha.

1 Like

But my question is why the system asks for user name, password and 2 FA when I try to go to backoffice from Kite 3.0 after entering my credentials already in Kite. Is this not funny and totally unwarranted?

Hi,

Kite 3.0 is still in beta, once it’s complete you will not be asked for login, but will redirect to Q , like it’s happening with the current version of kite.

Cheers

I agree with Rupesh.
Typing 2 times is like the 90s and I have stopped using your app. Regarding RBI, how can other banks be allowed implement fingerprint? I have seen this in Axis, ICICI, Citi, etc… I have my MF and stocks there too. So what is problem here? One idea is to have option in security for users to either select 2FA or use fingerprint. So your 2FA is also there as per RBI but never asked as users have taken a conscious decision for his choice and you or RBI are not responsible. And user has choice to use his fingerprint. This is how other banks have implemented. You need to study how you can be still better than others.

1 Like

I don’t think this is a nice idea, looks like these people are short sighted especially when we have accounts in our family members names do they think it will be possible for me to place the order for my college going kid to login?, moreover people who are 70+ are they tech savvy, like my parents? Sorry I don’t agree.