New mandatory Device Lock 2FA in Kite App (after update on 9th August 2022)

After todays app update, Kite asks to enable 2FA Security…
App based TOTP is already enabled for my account and it works fine.
Then why ask users to enable Biometric Device Lock/Verification?
This Support Artiicle (article needs editing to be unambiguous) says TOTP ‘OR’ Device Lock, I am already using TOTP, then enabling device lock will still be mandatory?

The Google itself clarified that Biometrics are less secure than strong PIN or Password.

What happens if Android User is not using Fingerprint Lock or Face Lock and instead he is using Password/PIN based Device Lock? In this case how does the whole process is implement/executed?

Is this feature is something similar to what many apps like Mozilla Lockwise or Firefox implements for unlocking stored Passwords where instead asking Android User to set new PIN/Password to unlock the app or app data, already set android device lock PIN/Password is used?

What happens to TOTP which Kite app asks (before this biometric 2FA updated) every time on opening the app? After enabling this Device Lock as 2FA, will TOTP still be required to Login into Kite app or the app can be unlocked with Fingerprint alone? (again is it going to just fingerprint OR fingerprint + PIN OR just Device Unlocking PIN/Password will be sufficient)?

Won’t this biometric thing be LESS SECURE as compared to KITE App login on a device which is protected with [Strong PIN/Password + TOTP 2FA app protected with different Strong PIN/Password + TOTP to unlock Kite app]?

If device unlock accepts Android device unlock PIN and use ONLY that without combining that with TOTP, then how is it different from earlier PIN based login mode used on Kite earlier, where user needed to enter password and then 6-digit fixed PIN [this login scheme is now defunct (AFAIK) after TOTP was made mandatory].

There are many questions like above, I hope you will post something on Z-Connect considering all possible scenarios to clarify on this device (un)lock 2FA.

There are many devices with different device unlock methods like PIN, Pattern, Password, Biometric, Face ID etc. Which of these will be accepted for device unlock mode to unlock Kite?

The NSE Notification which also allowed non-biometric authentication for cases where biometric authentication is not possible, how Zerodha is going to implement this?
@nithin @ShubhS9

We will write a detailed blog post on this soon. But here is the response from our tech team to your specific question.

Device-level lock is becoming mandatory as a general security practice. PIN is being phased out completely as an option by September in accordance with the new regulations. After that, external TOTP OR mobile device lock (biometric or others) would be the two available options for authentication.

For Kite web:

  1. Username + Password for all sessions followed by:

  2. External TOTP or the upcoming Kite Mobile based App Code (similar to external TOTP) for all sessions. The new App Code will be obtainable from a valid session from inside the Kite mobile app.

For Kite mobile:

  1. Username + password for first time login

  2. SMS 2FA OTP for first time login

  3. Device/biometric unlock OR external TOTP for all subsequent sessions based on the cryptographic token in secure storage created by the username+password+SMS OTP.

Device/biometric lock for the mobile app auth for mobile satisfies the multi-factor conditions for web and mobile.

For Kite Web:

1st factor: Username and password (what the user knows)

2nd factor: External TOTP app (what the user has and knows via the external TOTP app’s own lock)

OR

2nd factor: Kite mobile App Code (what the user has: phone + a valid Kite mobile session + what the user is: biometric lock). This is only obtainable if the user has a valid Kite mobile session in the first place.

For Kite mobile (subsequent daily logins after username+password+SMS OTP based first time setup):

1st factor: Mobile device (what the user has)

2nd factor: External TOTP app (what the user has and knows via the external TOTP app’s own lock)

OR

2nd factor: Device/biometric lock (what the user knows or what the user is)

8 Likes

Okay Thanks for the reply…
So TOTP from External (3rd party) app like Google Authenticator or Authy is a valid alternative to Device Lock (Device PIN/Password/On-Device Biometric Authentication)… Right?

I am using TOTP from External 3rd party app [after my username+password based Login - if I clear the Cache & App Data of the Kite App]

But as screenshot above shows the Kite App still prompts for Device Lock? Is it just for Informational Purpose and one can Skip it (though this msg is shown after each login and that is kind of annoying as I am aleady using External TOTP as MFA)

So for Users who are already using TOTP (from Google Authenticator or Authy etc) should be provided an option to hide this msg to be shown at subsequent logins. @nithin

Yea, TOTP will be a primary mode of login, which once opted, will not ask for device lock. However, everyone has to enabled device lock at least once.

This (annoying) phase is to sensitise everyone about mandatory device lock. The next update will let TOTP users (a small fraction of the userbase unfortunately) to use that as the primary mode.

1 Like

I know Zerodha might be doing this in good faith and it is good thing you are creating awareness about Digital Security. But other ways should be used to sensitize users about Security of their devices and users shouldn’t be forced to opt for Device Lock (I mean for Kite Log In) even for single instance.

Firstly users don’t know about the underlying code which performs this action. (Is the code of Kite Android App Open Source? : I don’t know, I am just asking because I didn’t see anything on GitHub but then again its code might be proprietary) Again the point is not to start an argument. But in today’s world where security bugs are rampant, lets not create one more, even unintentionally.

If TOTP is allowed and used for logging into Kite Web then same should be allowed for Kite App too without forcing for Device Lock… even for once.

If a user wants to use TOTP he should be able to use that as MFA and if one wants to use Device Lock he/she/they should be free to do so. But neither person should be forced to use other mode.

Secondly if user clears the App’s Cache & App Data the app will repeatedly asked (FORCED) to perform this device lock procedure. Then it wouldn’t be one time thing.

Thanks… I hope it will be released soon and it it won’t force users to undergo Device Lock even once. Alternatively Zerodha can ask for a Tick Box to self declare that user’s phone is Device Lock Protected, if the intention is to avoid any future legal hassle.

Just to clarify I am not being suspicious of Zerodha’s Security or of their intentions to create Security Awarness but for me Best Security practice is one which requires to trust no-one or at least minimum number of entities

So as a temporary solution for myself I will access Kite from the Web Browser.
And I hope for speedy release of new update…

@nithin Just out of curiosity…

If TOTP based authentication users are a small fraction then what Mode of 2FA others use? I was under impression that use of TOTP is mandatory for all after Zerodha phased out Fixed 6-dgit PIN…

TOTP is currently optional. Will be mandatory by end of September, not just at Zerodha but all brokers will need to implement by then (TOTP, OTP, or any other true 2FA)

1 Like

Hey, one last thing. You can enable pattern/PIN on the phone and device lock. That works with Kite. We’re forcing device lock, not fingerprint.

1 Like

I wanted to know that if I use Biometric or Face ID authentication to login to kite on mobile, then does the validation happen on the phone itself or does zerodha get access to and store the biometric or Face ID data after it is enabled as a method to authenticate oneself on kite mobile on its server?

The device lock (biometric/pattern/PIN) is accessed from the mobile directly. The Kite app (Zerodha) does not store this information.

~ Support Portal: How to enable device lock on mobile?

1 Like

Hey @ron94, the device lock (biometric/pattern/PIN) is accessed from the mobile directly. The Kite app (Zerodha) does not store this information. Explained here.

Thanks for clarifying.

Okay… Thanks…

The explicit mention of Enable ‘Biometric device lock’ on the app for 2Factor Security. on app screen is confusing then…

The TOTP does not seem to be time-based or one-time. I have tried enabling TOTP using a few different apps including Authy, 2FAS and 1Password. I am able to login successfully, however, even though the TOTP app says that the token is valid only for 30 seconds, the token works till long after the 30 sec expires and the new token is generated. Isn’t it supposed to be limited to 30 seconds to provide security. Secondly, it is supposed to be one-time, however I can login 3 times successively without a problem using the same token. This further reduces security. Pls check this and let me know if this is how its supposed to work or if there is some problem.

The TTL (Time to Live) of TOTP can is exact to the level of each second. There is bit of slack provided to account for latency (both client and server-side), unsynchronized clocks, and for user usability.

See RFC 6328 which says…

Because of possible clock drifts between a client and a validation
server, we RECOMMEND that the validator be set with a specific limit
to the number of time steps a prover can be “out of synch” before
being rejected.

Regarding the Replay Attack the RFC 6328 again explicitly mentions that

Note that a prover may send the same OTP inside a given time-step
window multiple times to a verifier. The verifier MUST NOT accept
the second attempt of the OTP after the successful validation has
been issued for the first OTP, which ensures one-time only use of an
OTP.

So basically the gist is that using Secure Authenticator App is only the Half Story. The Verifier must take due care to avoid possible misuse such as replay attack.

1 Like

Hi. I recently updated the Kite android app and I have a suggestion.

Can we have an option in the app settings that allows the user to select whether device lock, biometric lock or either of the two can be used for this authentication?

For example, I use TOTP but I have enabled biometric/device lock for quicker access. Now the problem is: I use my pattern to unlock the phone a lot of times so it is somewhat publicly visible and so I am not happy with using that method to bypass biometrics. I want the option to disable my device lock as a valid form of authentication. Similarly, someone else might want to avoid biometrics as they can be used sometimes without the user’s knowledge. If I remember correctly, until the last update only biometrics were allowed instead of TOTP and there was no option to use the device pattern instead (I’m not sure if I remember this correctly though).

After a quick look at the documentation for the android authentication dialog, it seems like this should be possible. I understand that adding too many options can be confusing for the user, but I think for a security issue it is okay to have an extra option in the settings (basically a drop down that gives the option to choose between biometric only, device lock only & biometric/device lock).