Security Measures

It will be great if zerodha allows us to opt out of email OTPs. This will be more secured. Please consider it @nithin sir. I hope you will listen us

You would have better overall security by securing your email first.

How to do that:

1. Use a password manager
2. Use TOTP 2FA
3. Optional but recommended: use passkeys

The first two will place your security posture better than 90% of people. The last will make you pretty much unhackable even if you fall for a phishing scam.

Zerodha should provide passkey support and provide option to disable password auth altogether if user has two or more passkeys. No more OTPs, or password resets, etc.

I already know how to secure email. There is enough available knowledge on the internet.

I don’t understand, if the mailbox is secure why try to move the OTPs to a less secure channel like SMS?

First of all who said Email is more secured than SMS?

And second, no one can move from SMS to email or vice versa. Because both options will be available. We have to opt for either email or SMS.

Please check all the past demat hack is done because of email compromised.

I am requesting this email OTPs opting out feature for myself. Hope you understand

This is not an issue with email but a lack of security on the user’s part.
Email is more secure than SMS provided the user has followed basic security measures such as using a random password generated by their password manager together with TOTP 2FA and/or passkeys.

Without those basic protections, email can be considered less secure from a user standpoint than SMS. But if someone cannot even secure their mailbox, why should a broker or any service provider go out of their way to accommodate their alternatives, they’re going to get compromised anyway!

As for why SMS is probably the worst channel to send OTPs:

• After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts • The Register
• encryption - Why is SMS used as a way of verifying a user's mobile, when it is not even encrypted in transit? - Information Security Stack Exchange

How about sending parts of OTP on both mediums and user needs to enter both for password reset. One of the bank does that, 3 character on each medium.

So unless both email and sms are hacked, zerodha account is safe.

From a probability perspective it will much much secure

It will be great and help us from any type of fraudulent activities.

@Shravan_B_K please consider this

We did consider this, while it’s true that this covers cases where one medium is compromised, it does cause a lot of inconvenience to genuine users who are resetting their password. Further, in case the mobile is lost (which is most of the cases we get today for blocking accounts via [email protected]), the access to the email is also compromised and hence sending two parts doesn’t really help.

Also as I previously said, the cases of hacking have come down to zero post the implementation of 2FA regulations since Sept 2022. Since modern emails service providers have implemented 2FA mandatorily, the probability of hack is also very less.

Having said that, as stated in my previous posts we are evaluating what can be done better with the password reset flow to improve it from the security stand point. I will update the thread.

So you are saying if mobile is lost then email will be compromised. But a person can also login from the email from another device. And yes, two parts verification will be very useful. @pankaj_jain7 thanks for great suggestion.

I don’t think so it will cause any issues to the genuine users. Double OTPs verification will be very helpful for password resetting.