Request for improving the login process on Kite web

The current process of typing your entire password + looking up TOTP/2FA code from mobile is very cumbersome.

This is also made extra annoying by the fact that Kite logs you out every time you close the browser, and not just at the end of the day like other brokers. So if I login to the website in the morning, close the browser and come back later, I have to do this whole login process again.

Please consider implementing any of the following.

1. Scan a QR code shown on Kite web, using Kite mobile

• Dhan uses this and it is very convenient.
• Satisfies 2FA since you used 2FA’d to login to Kite mobile

2. Lock with a PIN instead of logging users out every time they close the browser.

• Users can set a PIN and login instead of TOTP code.
• Same security level as fingerprint being used for 2FA.
• Groww implements this.

3. Fingerprint on desktop

• With advancements in authentication with protocols such as WebAuth, it is possible to securely store credentials on desktop too, exactly like it is stored on Android.
• This is the most convenient. You can just give your fingerprint on desktop and it will login like mobile.
• Zerodha could be the first broker to implement this.

I have already created a ticket for this almost a year ago and they said they would forward the feedback to developers but there haven’t really been any fixes or replies to address/close this over the past year. I decided to create a topic so other members of the community can give their feedback if they face the same issues.

Hi,

There are a couple of reasons why we didn’t use this approach.

1. Log in to the web here is by using just one factor, and it is not in line with the circular released by the exchanges.
2. There are chances where phishing websites can be set up where the QR code can be mimicked, resulting in a security issue for the client.

Password and PIN are both knowledge factors, and the circular specifically mandates that a possession factor be used as a second factor; hence, we won’t be able to use this approach.

The number of folks who will use this would be very low currently, but we will explore this.

Also, someone has posted a solution for multiple accounts here. The same approach can help for managing single account as well. Check if this post helps.

Hey @Shravan_B_K , thanks for the reply

Log in to the web here is by using just one factor

You have to scan the QR with Kite mobile app. You’ve already logged into Kite mobile, meaning you have satisfied the security criteria since you’re logged into the app and can use it fully.

There are chances where phishing websites can be set up where the QR code can be mimicked

This is not any different from them mimicking Zerodha’s normal sign-in site.
Zerodha can label the button itself as “Login to Kite Web” to avoid any confusion. There can be a confirmation button too. ICICI securities and Dhan both have implemented this so it is not some new/risky/exciting technology in Indian markets.

If you open the Kite app, scan a QR using the same app and then expect something that is not being signed into Zerodha to happen then I think the same person would fall for a fake login site too. This is just my personal opinion and the Zerodha security team can differ.

The number of folks who will use this would be very low currently, but we will explore this.

Lot of people have a fingerprint reader on desktop, but yeah web auth penetration is low due to sites not using them. Google has started heavily encouraging users to enable this so Zerodha will not be the first or the largest. Kindly discuss it internally since it’s the best.

Password and PIN are both knowledge factors

I meant this in a way such that PIN is used instead of logging people out in the same day. I know that we have to login every day, but logging in multiple times the same day is tedious and not a threat model the average user faces.

a solution for multiple accounts

Thank you, but I do not use multiple accounts. I have to login multiple times in the same day on my only account, that was the problem I faced. I use browser profiles and password managers (religiously) so remembering passwords is not an issue. The process is tedious.

On a side note, what does Zerodha consider as knowledge factor when I am signing in on mobile? I am only giving my fingerprint. Are you guys considering the fact that I entered my password when I logged in initially on mobile (weeks or months ago) as knowledge factor?

The exchanges look at web and mobile sessions as 2 different ones and mandate that we have seperate 2FAs for both.

The difference here is since in kite web’s case the user would have to enter both his user ID, password and a 2FA, the chances of the phishing site being able to fool the user would be difficult as against logging in by just scanning a QR.

Will do. Thanks.

Kite web session is valid for a day and we don’t log the user out on browser closure. Further, since you are using password managers, I was hinting at the TOTP autofill using a password manager from the other post. Also authenticator extensions can help.

In case of the mobile session login, on the first login, the user is asked to enter the login id, password, SMS/email OTP and is a permission to enable device lock. There is a device registration that happens in this case. In case of further logins, since the mobile device is already registered, it becomes the possession factor and the device lock like PIN/ pattern etc become the knowledge factor. In case the user explicitly logs out, then he follows the first login flow. This flow is unfortunately not possible with the web flow since the browser doesn’t expose the underlying device details as in case of the mobile device. Hope this answers your query.

But support confirmed that this is happening and is implemented as intended (as a security measure). Every time a user completely closes the browser, I am logged out of Kite (cookies clear, etc everything is off). Completely here meaning when all tabs and windows of same browser is closed. Kite uses session cookies, which is cleared on closing of browser.

As per their reply in ticket #20230726492881,

Thank you for writing to Zerodha.
As per your raised query, we have checked this with our tech team as they have confirmed that this is done on purpose, the Kite web logs out when the Browser is completely closed to safeguard your Trading account in the event of any unaccounted transactions that might take place if the browser is not closed or your PC/Laptop is not supervised.

The user session is closed only when the user clears cookies and browser cache explicitly (this is the expected behaviour with any web application) and not on browser exit. On just closing the browser, the session is active. You can check and confirm this. The reply of the support team is also in line with this. However, they should have mentioned that the session is active on just closing the browser and is only closed when the user explicitly clears cache and cookies.

Have you tested this?

I’ve tested the same on both my friend and my accounts + different devices to ensure it is not a problem at my end since this behavior was quite absurd.

Zerodha Support had also called me on my phone telling this doesn’t happen. I gave them a step by step way to do it and they then said “Oh yeah it happens, it is working as intended.” But they atleast confirmed I was not having some weird behavior and it is happening with them too.

It is still possible I might be wrong because that’s how weird this behavior is so please test this at your end too.

1. Login to kite
2. Close all windows and tabs of same browser. Even different profiles. Basically if you are using chrome you should have closed all windows, tabs and profiles of Chrome, even non-kite ones.
3. Open browser again after 3-4 seconds.
4. Try to open kite.zerodha.com. Are you are logged out?

is only closed when the user explicitly clears cache and cookies.

yes this is pretty obvious. The problem here is I am neither clearing cache/cookies nor have I enabled something that does this.

To confirm this again, I logged into Kite and Twitter right now, closed browser and then opened it again. I was logged out of Kite but not Twitter.

Here, I meant the browser tab. My bad typo. On browser closure, the session is cleared as a good security practice.