Mandatory TOTP for all Kite Connect apps

Matti
Matti edited September 15 in General
Hello all,

Starting October 3, 2021, order placements via the Kite Connect API will require the respective accounts to have enabled 2FA TOTP. This does not involve any changes to any of the APIs. You just have to enable 2FA TOTP on your Zerodha account with which you login to Kite Connect. Without this, orders will not go through.

This is in line with the SEBI Cyber Security regulations and the increased cyber security threat levels in recent times. Moreover, the entire industry may move to mandatory physical 2FA for all logins in the near future.

Learn how to setup TOTP.

Why now? Huge rise cases in cyber security incidents. Every trading platform, API or not, is mandated to have 2FA like the circular says. We already enforce it for certain kinds of trades based on risk. SEBI is aware that the industry at large does not implement 2FA according to the original guidelines and there are indications that it will be enforced soon. When we mandated TOTP for risky trades, phishing and fraud complaints that were a regular feature went down to practically zero. Industry-wide 2FA will significantly reduce fraud and other unregulated activities.
  • Matti
    While this increases the security of your account, please ensure that you never share your login IDs, passwords, PINs, API keys, secrets, or any other sensitive information on GitHub or other public forums or with other individuals.
  • harshnisar
    Will this require an OTP for ever login/authentication to KiteConnect?
  • Matti
    Yes, you'll need to enable and use TOTP in order to login and get the access token.
  • healthsecure15
    If I have understood this correctly:

    Go to kite login page

    Enter ID and password

    Enter the TOTP from phone app(?) such as Google Authenticator

    Then get to fire off orders(?)

    1- Is the TOTP required once through the session or multiple times?
    2- How does this make any sense for someone who has multiple API's running example: HUF account and Individual account?
    3- Why would zerodha implement this without it being mandatory from SEBI.

    There is no workflow where someone can do this for multiple accounts such as: Individual, HUF account, Corporate account.

    Trying to wrap my head around this and it doesn't make any sense, globally API access is optionally controlled by TOTP/App authentication. Making TOTP mandatory to fire off orders defeats the purpose of an API.
  • CARahulPatel
    Is this required only in morning at the time of connecting or for all order.
  • sarveshgoel
    Kite connect is suppose to support programmatic access. Do we have to do just once each day or for each trade? For how long the token is valid? Is there documentation on Kite connect with details on how to make this work?
  • sultanarun
    Is this required only in morning at the time of connecting or for all order.
  • Matti
    3- Why would zerodha implement this without it being mandatory from SEBI.
    It actually is. Check the cybersecurity circular I've linked.

    You'll need the TOTP to login only once per day. Instead of logging in with the PIN in the morning, you use the TOTP.
  • whity
    Looks like this is a Dec 2018 circular. Zerodha has decided to enforce this now.
  • y_sravan
    so what next, Nitin is going to come to my place every time to see if it is really me that placing order with API?
  • ZL4353
    does that mean, i will not be able to get access token or i will get invalid access token if i will use current way (PIN based two factor auth)?
  • whity
    whity edited September 14
    lot of retailers are using lot of option selling algos.. SEBI is thinking how to make their lives hard!?
  • whity
    start searching how to automate TOTP method via algos!! :D
  • raaxus
    A person with basic mobile cannot trade now? or we can have functions to get a regular OTP as SMS?
  • Matti
    Matti edited September 14
    does that mean, i will not be able to get access token or i will get invalid access token if i will use current way (PIN based two factor auth)

    You'll still get an access token, @ZL4353 . Your orders won't go through though. They'll be rejected and the response will have a message asking you to set TOTP up.
  • y_sravan
    @Matti whats the transition period? will it work if I try today?
  • Matti
    This will go live on October third, which is a Monday. You'll have time until then. However, since there's no change to the APIs, all you need to do is set up TOTP for the account, which can be done at any time.
  • rohitm
    zerodha trying to become a regulator on its own
  • gpratapr13
    Hello @Matti , is it possible to increase the validity of access token from one day to 7 days. Thanks!
  • Matti
    No, increasing the validity of the access token isn't possible. All trading platforms are required to ensure the sessions are cleared everyday.
  • y_sravan
    This will go live on October third, which is a Monday
    oh God. live experimenting with retailers money again and again in the name of saving retailers.
  • Matti
    How is this an experiment of any kind? We're simply adding a layer of security to the account. The APIs remain unchanged. All you need to do is set up TOTP. We could also consider taking this live after markets on Friday, giving you time to test over the weekend.
  • y_sravan
    How is this an experiment of any kind? We're simply adding a layer of security to the account.
    how sure are you that your system can handle the TOTP requests on time when many users try to login to APIs. have you tried testing this?
  • Matti
    TOTP on Kite has been live for a long time and tens of thousands of users have been using it to login for years.
  • sultanarun
    @Matti if my algo generate a token after authentication using TOTP in the morning will that token be valid just like how it works now ? All other api calls will work fine. Right ?
  • Ajax
    It doesn't make any sense charging 2000 rupees in the name of "APIs" while nothing can be automated without hacks with the APIs. A simple auth flow now requires manual input. You guys should seriously consider the pricing of the APIs as with all these manual steps + removed features(BO.. etc). + frequent failures during heavy load, there isnt much value your API sub is giving.
  • mlearner
    Sad announcement for KiteConnect users. How can we compete with prop desks, HFT & hedge funds if we get entangled in these basic auth requirements everyday. Not a level playing field. I agree KiteConnect monthly fees should come down.
  • mlearner
    @Matti - Can you at least advance the token flush time to 12:00 am or 1:00 am for a trading day so that manual login can be done previous night itself and we can generate access tokens for the day quite early.

    Otherwise we have to time ourselves daily to be awake between 7:30 am to 9:15 am to generate new access tokens.
  • gaurmmec
    gaurmmec edited September 14
    No other broker has made this mandatory, disappointed with this change, making algo traders life more difficult. Forcing me to try fyers api which is free of cost as well.

    Can we test this feature before 3rd Oct by enabling totp.
  • explorer
    I hope this mandatory check of TOTP for each order doesn't add delay to order placement. Already market is struggling with liquidity issues; do not want order placement to be delayed.

    The circular is dated Dec 03, 2018. Any specific reason why did Kite woke up today to implement after ~3 years?

    For everybody's awareness can you please point out exact section from Sebi circular which mandates API users to use TOTP? The only section I could find which asks for multi-factor authentication is under annexure.
    In case of IBTs and SWSTs, a minimum of two-factors in the authentication flow are mandatory
    Today for Kite login, password and PIN are compulsory. So Kite already mandates multiple factors for login today and is MFA compliant. I do not understand why you need to discard PIN and mandate TOTP. Let the users decide which MFA they wish to use!
  • wtdmarketing
    @Matti - How Do I setup multiple phones with Google Authenticator? I don't have personal account with Zerodha instead I have corporate account in my firm's name and there are multiple persons handling the account. 2FA is clearly restricting access to even login to kite without having access to a phone which is attached to Zerodha 2FA. We surely need multiple phones.

    @gaurmmec - You are right, I do have an account with AliceBlue too and they offer free API and they don't have this TOTP/2FA. Zerodha is making life difficult first introducing only one login at a time (if you try to login at other desktop, it logs you out from first one) and now making 2FA compulsory. Important thing is when you talk to Zerodha support they says it's SEBI requirement however I don't see any other broker requires it.
  • gaurmmec
    gaurmmec edited September 15
    This will impact heavily for people who are managing corporate accounts where multiple people can login to single account, and people who are managing family members accounts on their behalf, as login would require real time otp which is not possible in these cases.

    @Matti Kindly think if rollback is possible if none of the other brokers has mandated or think of the way if token generation possible without totp

    Margin rules, freak trades ,now this totp - traders life is becoming tougher and tougher.
  • rakeshr
    I hope this mandatory check of TOTP for each order doesn't add delay to order placement.
    It's not required for every order. It's just a minor change in login flow(only) to enable TOTP instead of PIN in 2Factor, to get request_token post successful login. You can use the same request token to generate access token, use it for all further requests(like earlier). Nothing changes, while making API calls.
  • rakeshr
    Forcing me to try fyers api which is free of cost as well.
    AliceBlue don't have this TOTP/2FA
    The above circular from SEBI has to be implemented on all trading platforms. So, soon or later it will be coming on all trading platforms irrespective.
    Every trading platform, API or not, is mandated to have 2FA like the circular says. We already enforce it for certain kinds of trades based on risk. SEBI is aware that the industry at large does not implement 2FA according to the original guidelines and there are indications that it will be enforced soon.
  • whity
    whity edited September 15
    @rakeshr @Matti What about for normal web platform logins for non-API users? Will be TOTP replacing the PINs now? only this is for API users?
  • sujith
    @whity,
    Sooner or later every broker and every platform will enforce TOTP, there are already indications internally (among regulators and other stakeholders) as mentioned above.
  • kavanlimbasiya
    This is pathetic. Why hurry to implement a regressive circular by SEBI when others are not doing it? Using selenium web driver earlier it was possible to fully automate login. Now its not possible. Why make life miserable for retailers while giving all the exceptions to platforms like sensibull???
  • namratasonawane
    @Matti Is this applicable for normal Kite website users as well?
  • neerleo88
    @Matti @rakeshr @nithin

    Why can't you guys wait until SEBI specifically asked for TOTP based 2FA and ever other broker/organization implement this instead of only Zerodha . You said these enforcement may come from SEBI but Its also mean that it may not come from SEBI
    OR SEBI allows Pin based 2FA which will not require any changes in current system

    1) API users have created automated system only because they don't want to do any manual task and run their system (place order and do trading) even when they are on their vacation or doing something important. We may be at any remote location where there is no internet but by making our system completely automated and putting it on cloud machine we are ensuring that it is working independently of human intervention

    2) It is not possible to run our system on All Trading days by manually enter TOTP and this will lead to data loss . Every Algo uses historical data and since you already stop the support for Pi and you are charging another 2000rs for historical data API , running our automated system on all trading days in order to collect data is our only way around here .

    3) Also people are using these Algo for multiple account and it is not possible to get otp from each and every mobile cos not all account holders are in one city

    These are the reasons we are paying you guys 2000/Rs monthly even when we are at loss in our trading.

    Don't you think as loyal customer of zerodha we deserve better. shouldn't you consider us in mind while implementing something new and give a thought that how it can affect our work and our business.
    People using your API, will have problems with this new mandatory action by zerodha. Please give this a second thought.
  • whity
    @neerleo88 as per SEBI, automated logins were anyways not allowed. Automated logins are a different thing.
  • Ravis
    @Matti There is a performance dip in order placement via Kite Connect API. Normal order placement is taking around 3-4 secs. Did your team implement this functionality and could this be the reason behind performance issues ? This is impacting my trade in a big way. Please look into this. Please note that Kiteweb works fine.
  • amit0
    @Matti Can you refer to Annexure C and help me understand where does it say its mandatory to implement TOTP?

    Please note #2 first part recommends using of 2FA, second part says 2FA is mandatory for IBTs but it doesn't say that 2FA has to be TOTP. PIN should be ok.
  • Matti
    Why can't you guys wait until SEBI specifically asked for TOTP based 2FA and ever other broker/organization implement this instead of only Zerodha . You said these enforcement may come from SEBI but Its also mean that it may not come from SEBI
    OR SEBI allows Pin based 2FA which will not require any changes in current system
    Because we have been asked questions by regulators about what we are doing to secure our users' accounts and to take additional steps when it comes to the APIs.
    1) API users have created automated system only because they don't want to do any manual task and run their system (place order and do trading) even when they are on their vacation or doing something important. We may be at any remote location where there is no internet but by making our system completely automated and putting it on cloud machine we are ensuring that it is working independently of human intervention
    As @whity just said, this was never allowed to begin with. If you were doing it, you were in violation of the terms of use of the APIs.
    2) It is not possible to run our system on All Trading days by manually enter TOTP and this will lead to data loss . Every Algo uses historical data and since you already stop the support for Pi and you are charging another 2000rs for historical data API , running our automated system on all trading days in order to collect data is our only way around here .
    Kite Connect is a suite of order execution APIs, not a data vending product.
    3) Also people are using these Algo for multiple account and it is not possible to get otp from each and every mobile cos not all account holders are in one city
    People are supposed to have access to only their own accounts. We can't really look at means to facilitate some users accessing accounts for other users.
  • Matti
    @Matti There is a performance dip in order placement via Kite Connect API. Normal order placement is taking around 3-4 secs. Did your team implement this functionality and could this be the reason behind performance issues ? This is impacting my trade in a big way. Please look into this. Please note that Kiteweb works fine.
    No, this hasn't gone live yet, nor will it be live until October. Nothing has changed on our end.
  • neerleo88
    Kite Connect is a suite of order execution APIs, not a data vending product.

    @Matti
    In my opinion , people use API to create algorithm and for algorithm to run correctly , It needs data please suggest me if you have any other way where any algorithm can take decision of buying and selling without data .
    If API provided by you guys should only use for order execution then why shouldn't we use kite website or mobile app to place order. Why would anyone use API only to place orders.
  • sujith
    @neerleo88,
    We have always informed, the historical data API is provided for backtesting purposes only. We recommend you to generate candles at your end using Websocket API data.
  • neerleo88
    Because we have been asked questions by regulators about what we are doing to secure our users' accounts and to take additional steps when it comes to the APIs.

    Only Zerodha has been asked by SEBI ? No one else has been asked by SEBI ?

    As @amit0 asked , Can you please show us , where does it say its mandatory to implement TOTP?

    Are you securing API users from themselves ? Please help me understand the risk.
  • Matti
    Matti edited September 15
    In my opinion , people use API to create algorithm and for algorithm to run correctly , It needs data please suggest me if you have any other way where any algorithm can take decision of buying and selling without data
    This is why we do provide data as an add on. The only reason I even brought up the fact that Kite Connect isn't a data vending product is because you talked about data collection. Changes can't be based on that.
  • neerleo88
    @Matti
    And for data as add on you charge another 2000. Just give me one reason why shouldn't we store tick data in our personal database . Are we not supposed to be smart enough ?
  • Matti
    While we understand the inconvenience, this is decision is based on updated risk and cyber security assessments. As we have already mentioned above, 2FA is mandated by SEBI for all platforms (that most platforms don't offer it is a different matter). We are working towards enabling 2FA for not just API but all platforms in the near future. This very likely will happen industrywide soon too.

    PIN or any sort of secondary password that the user enters from memory is not actual 2FA and does not mean SEBI's definition of 2FA.
  • mlearner
    @Matti - Can you at least advance the token flush time to 12:00 am or 1:00 am for a trading day so that manual login can be done previous night itself and we can generate access tokens for the day quite early.

    Otherwise we have to time ourselves daily to be awake between 7:30 am to 9:15 am to generate new access tokens.
    Can you please respond to this?
  • neerleo88
    PIN or any sort of secondary password that the user enters from memory is not actual 2FA and does not mean SEBI's definition of 2FA.
    @Matti
    Let SEBI take any action on their definition . Let SEBI say the same . Let SEBI elaborate the definition in more correct way .
    Why you guys are in so much hurry. specially when it will do more harm than good to the user.
  • Matti
    And for data as add on you charge another 2000. Just give me one reason why shouldn't we store tick data in our personal database . Are we not supposed to be smart enough ?
    I am not saying any of that. I simply said policy decisions cannot be based on these considerations. This is a security policy and has nothing to do with data.
  • Matti
    @mlearner Was checking this internally. :smile: Unfortunately, the token flush times are timed to follow a large number of end of the day processes and cannot be moved.
  • gaurmmec
    gaurmmec edited September 15
    While i am a loyal user of zerodha API because of its stability, now some of the below mentioned reasons dragging me away for alternatives:
    1. No OTM options buy
    2. Charging 2000 per month, even when i m generating lakhs of brokerage for them.
    3. Additional overhead in token generation because of TOTP.

    I understand that sooner or later it will be made mandatory, but let that time come, it could be 1 or 2 years, atleast our life will be easy till then. Why necessary trouble us when our returns are already impacted heavily because of margin rules.
  • neerleo88
    @Matti
    @Matti
    Let SEBI take any action on their definition . Let SEBI say the same . Let SEBI elaborate the definition in more correct way .
    Why you guys are in so much hurry. specially when it will do more harm than good to the user.
    Can you please respond on that and provide us the reason behind this urgent need
  • Matti
    @neerleo88 As I've said before, while we understand the inconvenience, this is decision is based on updated risk and cyber security assessments.
  • neerleo88
    @Matti

    Please make it optional. Whoever wants additional security can opt for that.
  • Matti
    @neerleo88 this was always available as an optional feature. The change is that we're mandating it now, and perhaps soon for all other platforms as well.
  • neerleo88
    @neerleo88 As I've said before, while we understand the inconvenience, this is decision is based on updated risk and cyber security assessments.
    @Matti

    Can you please help us understand what kind of cyber security related issue you have faced with Kite connect API and How this TOTP help to stop it?
  • amit0
    Everyone,

    I looked into this further and its very easy to programatically generate TOTP. If time permits I will write a post on how to do it, but as all of us are devs here, just check below pointers.

    1. When you enable TOTP, zerodha shows you a QR code. QR holds a key (you can copy that by clicking link below it).
    2. Use that key and system time to generate TOTP. You can use this key / QR code and add account to any authenticator app as well.
    3. You can use various libraries like https://www.npmjs.com/package/totp-generator or https://github.com/jiangts/JS-OTP) to create OTP. Just supply the key you got from step 2.

    So its not so difficult to automate login.
  • neerleo88
    neerleo88 edited September 15
    @Matti @rakeshr

    If I unable TOTP from kite , Will I be able to generate access token using PIN. I am talking about before 1st October
  • amit0
    @neerleo88 In my opinion no, once you enable TOTP you will require TOTP for authentication, PIN wont work
  • Matti
    @neerleo88 Before October first, PIN will work for access token.
  • wtdmarketing
    @amit0 - Thanks Bro .. it's a great finding.
  • sodha_rakesh
    sodha_rakesh edited September 15
    May be helpful for python developers... its just 3 line of code to generate TOTP (of course once the Secret Key is captured already):

    import pyotp
    totp = pyotp.TOTP('YOUR_SECRETKEY_GOES_HERE')
    totp.now() # => '492039' use the output for getting access token

    Please refer https://pyauth.github.io/pyotp/ for more details

    I hope Zerodha doesn't mandate PHYSICAL Token soon :D :D
  • rohitm
    does secret key (QR code key) remain always same for an account ?
  • amit0
    @rohitm yes it always remain same. It only changes whenever you change your 2FA app or re-register
  • rohitm
    @amit0 now zerodha maycome up with regulation to come directly to banglore office in person with aadhaar card and punch order there . lol
  • rahilbhansali
    @Matti - Just a question - can you please take up the token flushing at midnight as a feature in your jira / PM tasklist? I did see your comment that a lot of things happen before you can flush it (I'm assuming including calculating funds in the account). However, I assume the token is only accessible by the user and not by Zerodha - so flushing really shouldn't have an impact on your systems.

    Maybe internally you can hash the previous token and continue your processes, but flush the user token so we can generate a new one earlier? In short I'm proposing a new internal token you use for whatever processes you have which require it (I don't know why it should be used - but whatever the reasons it solves your purpose) and the user token can be flushed.
  • narayanan
    Can you please share the steps in kite connect for this.
    What is the secret key here ? key under QR code or API secret key ?
    What need to passed under KiteInstance.GenerateSession

    KiteInstance = new Kite(MyAPIKey, Debug: true);
    KiteInstance.SetSessionExpiryHook(OnTokenExpire);

    //TOTP
    //var bytes = System.Text.Encoding.UTF8.GetBytes(MySecret);
    //var totp = new Totp(bytes);
    //var otp = totp.ComputeTotp();
    User user = KiteInstance.GenerateSession(AccessTokenTextBox.Text, MySecret);
    MyAccessToken = user.AccessToken;
    KiteInstance.SetAccessToken(MyAccessToken);
  • kavanlimbasiya
    ye achha nahi kar rahe zerodha vale
  • Ajax
    @Matti Its strange to see that these rules don't apply to kite mobile app? I can enable fingerprint access and then don't need TOTP verification every-time I login? Care to explain the rationale?
  • sudhirtambe
    By Oct-3, If TOTP is not set, and I am still using old method of entering PIN:
    a. I understand that order placement will be rejected
    b. But please confirm that other read-only api's like ltp, quote will still work.
    Just a question out of curiosity
  • swas99
    @Matti
    Question: How will Zerodha handle the trades that are currently protected via TOTP?
    The use of TOTP to safeguard against suspicious trades was a helpful feature. With this change there is no protection against such trades.
    _______________________________________________________________________________________

    IMO:
    • This enforcement is just bullshit. Either the real reason is something else or SEBI folks are dumb-nuts
    • This does not stop a hacker/fraudster from abusing my account if they already have my password and pin.
    • Developers will always find a way around it (one way already discussed here). (just creates unnecessary work for no benefit). Trying to stop them from fully automating stuff is everyone's waste of time and resources. SEBI/You should accept that fact.
    • A little more effective way to "increase security" would be to use OTP via SMS. It may safeguard against hackers/fraudsters to some extent but has different set of challenges attached to it. (and developers will get around this as well: if the intention is to stop them from automating stuff)


  • narayanan
    Please update the documentation on Kite Connect API based on the new change. Otherwise It will be difficult to find the right code for this.
  • rakeshr
    By Oct-3, If TOTP is not set, and I am still using old method of entering PIN:
    a. I understand that order placement will be rejected
    Yes, all order placement-related calls will be throwing 400.
    But please confirm that other read-only api's like ltp, quote will still work.
    Yes, this will work as before.
    Please update the documentation on Kite Connect API based on the new change.
    Yes, we will update the login flow documentation, before going live i.e October 3.
  • narayanan
    @rakeshr Will it get updated for all type of clients. I would like to see the documentation updated for .Net API client.
  • narayanan
    Zerodha should first update the documentation then announcement should be made.
    Please postpone the date. Provide some time to user to update the code.
  • Matti
    @narayanan, as I say in my original post making the announcement, this does not involve any changes to the APIs and does not require any changes to your code. You simply need to enable TOTP on your Zerodha account. Functionally, the APIs remain unchanged.
  • narayanan
    Thanks Matti. Sorry for the confusion.
  • narayanan
    I am able to login without any code changes after enabled TOTP option in kite web. Thanks.
Sign In or Register to comment.