Security Measures

It will be great if zerodha allows us to opt out of email OTPs. This will be more secured. Please consider it @nithin sir. I hope you will listen us

You would have better overall security by securing your email first.

How to do that:

1. Use a password manager
2. Use TOTP 2FA
3. Optional but recommended: use passkeys

The first two will place your security posture better than 90% of people. The last will make you pretty much unhackable even if you fall for a phishing scam.

Zerodha should provide passkey support and provide option to disable password auth altogether if user has two or more passkeys. No more OTPs, or password resets, etc.

I already know how to secure email. There is enough available knowledge on the internet.

I don’t understand, if the mailbox is secure why try to move the OTPs to a less secure channel like SMS?

First of all who said Email is more secured than SMS?

And second, no one can move from SMS to email or vice versa. Because both options will be available. We have to opt for either email or SMS.

Please check all the past demat hack is done because of email compromised.

I am requesting this email OTPs opting out feature for myself. Hope you understand

This is not an issue with email but a lack of security on the user’s part.
Email is more secure than SMS provided the user has followed basic security measures such as using a random password generated by their password manager together with TOTP 2FA and/or passkeys.

Without those basic protections, email can be considered less secure from a user standpoint than SMS. But if someone cannot even secure their mailbox, why should a broker or any service provider go out of their way to accommodate their alternatives, they’re going to get compromised anyway!

As for why SMS is probably the worst channel to send OTPs:

• After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts • The Register
• encryption - Why is SMS used as a way of verifying a user's mobile, when it is not even encrypted in transit? - Information Security Stack Exchange

How about sending parts of OTP on both mediums and user needs to enter both for password reset. One of the bank does that, 3 character on each medium.

So unless both email and sms are hacked, zerodha account is safe.

From a probability perspective it will much much secure

It will be great and help us from any type of fraudulent activities.

@Shravan_B_K please consider this

We did consider this, while it’s true that this covers cases where one medium is compromised, it does cause a lot of inconvenience to genuine users who are resetting their password. Further, in case the mobile is lost (which is most of the cases we get today for blocking accounts via [email protected]), the access to the email is also compromised and hence sending two parts doesn’t really help.

Also as I previously said, the cases of hacking have come down to zero post the implementation of 2FA regulations since Sept 2022. Since modern emails service providers have implemented 2FA mandatorily, the probability of hack is also very less.

Having said that, as stated in my previous posts we are evaluating what can be done better with the password reset flow to improve it from the security stand point. I will update the thread.

So you are saying if mobile is lost then email will be compromised. But a person can also login from the email from another device. And yes, two parts verification will be very useful. @pankaj_jain7 thanks for great suggestion.

I don’t think so it will cause any issues to the genuine users. Double OTPs verification will be very helpful for password resetting.

The password reset process is too simple IMO. I understand that gaining access to someone’s PAN, SMS, or email is difficult, but many buy-and-hold users with large portfolios would prefer a more secure password reset mechanism. Recently, @nithin also tweeted that a large portion of HNI holdings are with Zerodha. Once someone gains access to an account, they can completely wipe it out. This isn’t like banking, where there are daily withdrawal limits or delays in activating a new payee.

I’m not an HNI, but I believe there should be an opt-in high-security option for password resets — requiring all three: OTP via email, phone number, and TOTP. Even if such a measure is placed behind a paywall, it would be worth it.

I usually place my buy and sell orders only once a week or every few weeks. I’m actually considering turning on the Kill Switch every morning — so that even if someone gains access to my account, they can’t wreak havoc — except on the days I trade.

Hi Krishna,

The password reset flow that is being used is a robust one, and we haven’t come across cases where someone has lost access to their account because the flow is simple. PAN number, email ID, and mobile number are personal to a certain individual, and the chances of a third party having access to all of these or either of these is very low. We also send an email and a mobile app push notification to alert the user of a password change.

The money and securities can only be moved to the user’s bank account and Demat account, respectively, and can’t be moved to any fraudster’s account.

Further,

Having said that, we’ll certainly look into what can be done better here, but as of now, this is a robust process that has stood the test of time.

Hi, Shravan

I don’t think asking for a PAN number is as strong a measure as asking for an OTP sent to email or phone number. Yes, it is a small hurdle but the only difficult step in this reset process is the OTP on email or password.

A fraudster can sell the holdings and can buy some very illiquid instruments which are controlled by the fraudster. These instruments bought would essentially be worthless. And they can do this very quickly. So, a person can see the notifications of different location login or resetting of password a bit late and this can be a problem.

Good (and surprised) to hear that this resetting process has not been a problem till date.

I understand that making it more secure is not on your immediate task list. Thanks!

If a user loses his phone which is 99.9% of cases, he losses all these. how is it more secure? pls enlighten me

Mobile phone uses a different email. Zerodha/depository uses a different email. TOTP is in another device.

I don’t know about the number 99.9%. I get that Zerodha thinks that the existing resetting process serves most of its users better. That’s why I mentioned it as opt-in and even as a payable addon.

BTW, Kill Switch is a great feature for paranoid investors like me. Thanks for that! If there is an auto-renew for it that would be great. Like it will always stay on and buy and sells can be made only after 12 hours of switching it off. Then, there will be ample time to check notifications about a new location login, password reset, kill switch toggled etc. to see if the account was breached. I know this is another niche request that might never come to fruition but for paranoid people who use their Kite accounts only for long term investing this will be an even greater help.

I guess there is no limit on number of times the Kill Switch can be enabled? I will find out.

How are you even calculating this? Count of support tickets?

Yep, if a client loses access to the account and if there are trades which they wouldn’t have placed, they do reach out to us. We have had such reports before the implementation of 2FA.