Starting October 3, 2021, order placements via the Kite Connect API will require the respective accounts to have enabled 2FA TOTP. This does not involve any changes to any of the APIs. You just have to enable 2FA TOTP on your Zerodha account with which you login to Kite Connect. Without this, orders will not go through.
This is in line with the SEBI Cyber Security regulations and the increased cyber security threat levels in recent times. Moreover, the entire industry may move to mandatory physical 2FA for all logins in the near future.
Why now? Huge rise cases in cyber security incidents. Every trading platform, API or not, is mandated to have 2FA like the circular says. We already enforce it for certain kinds of trades based on risk. SEBI is aware that the industry at large does not implement 2FA according to the original guidelines and there are indications that it will be enforced soon. When we mandated TOTP for risky trades, phishing and fraud complaints that were a regular feature went down to practically zero. Industry-wide 2FA will significantly reduce fraud and other unregulated activities.
Go to kite login page
Enter ID and password
Enter the TOTP from phone app(?) such as Google Authenticator
Then get to fire off orders(?)
1- Is the TOTP required once through the session or multiple times?
2- How does this make any sense for someone who has multiple API's running example: HUF account and Individual account?
3- Why would zerodha implement this without it being mandatory from SEBI.
There is no workflow where someone can do this for multiple accounts such as: Individual, HUF account, Corporate account.
Trying to wrap my head around this and it doesn't make any sense, globally API access is optionally controlled by TOTP/App authentication. Making TOTP mandatory to fire off orders defeats the purpose of an API.
You'll need the TOTP to login only once per day. Instead of logging in with the PIN in the morning, you use the TOTP.
You'll still get an access token, @ZL4353 . Your orders won't go through though. They'll be rejected and the response will have a message asking you to set TOTP up.
Otherwise we have to time ourselves daily to be awake between 7:30 am to 9:15 am to generate new access tokens.
Can we test this feature before 3rd Oct by enabling totp.
The circular is dated Dec 03, 2018. Any specific reason why did Kite woke up today to implement after ~3 years?
For everybody's awareness can you please point out exact section from Sebi circular which mandates API users to use TOTP? The only section I could find which asks for multi-factor authentication is under annexure. Today for Kite login, password and PIN are compulsory. So Kite already mandates multiple factors for login today and is MFA compliant. I do not understand why you need to discard PIN and mandate TOTP. Let the users decide which MFA they wish to use!
@gaurmmec - You are right, I do have an account with AliceBlue too and they offer free API and they don't have this TOTP/2FA. Zerodha is making life difficult first introducing only one login at a time (if you try to login at other desktop, it logs you out from first one) and now making 2FA compulsory. Important thing is when you talk to Zerodha support they says it's SEBI requirement however I don't see any other broker requires it.
@Matti Kindly think if rollback is possible if none of the other brokers has mandated or think of the way if token generation possible without totp
Margin rules, freak trades ,now this totp - traders life is becoming tougher and tougher.
Every trading platform, API or not, is mandated to have 2FA like the circular says. We already enforce it for certain kinds of trades based on risk. SEBI is aware that the industry at large does not implement 2FA according to the original guidelines and there are indications that it will be enforced soon.
Sooner or later every broker and every platform will enforce TOTP, there are already indications internally (among regulators and other stakeholders) as mentioned above.
Why can't you guys wait until SEBI specifically asked for TOTP based 2FA and ever other broker/organization implement this instead of only Zerodha . You said these enforcement may come from SEBI but Its also mean that it may not come from SEBI
OR SEBI allows Pin based 2FA which will not require any changes in current system
1) API users have created automated system only because they don't want to do any manual task and run their system (place order and do trading) even when they are on their vacation or doing something important. We may be at any remote location where there is no internet but by making our system completely automated and putting it on cloud machine we are ensuring that it is working independently of human intervention
2) It is not possible to run our system on All Trading days by manually enter TOTP and this will lead to data loss . Every Algo uses historical data and since you already stop the support for Pi and you are charging another 2000rs for historical data API , running our automated system on all trading days in order to collect data is our only way around here .
3) Also people are using these Algo for multiple account and it is not possible to get otp from each and every mobile cos not all account holders are in one city
These are the reasons we are paying you guys 2000/Rs monthly even when we are at loss in our trading.
Don't you think as loyal customer of zerodha we deserve better. shouldn't you consider us in mind while implementing something new and give a thought that how it can affect our work and our business.
People using your API, will have problems with this new mandatory action by zerodha. Please give this a second thought.
Please note #2 first part recommends using of 2FA, second part says 2FA is mandatory for IBTs but it doesn't say that 2FA has to be TOTP. PIN should be ok.
In my opinion , people use API to create algorithm and for algorithm to run correctly , It needs data please suggest me if you have any other way where any algorithm can take decision of buying and selling without data .
If API provided by you guys should only use for order execution then why shouldn't we use kite website or mobile app to place order. Why would anyone use API only to place orders.
We have always informed, the historical data API is provided for backtesting purposes only. We recommend you to generate candles at your end using Websocket API data.
Only Zerodha has been asked by SEBI ? No one else has been asked by SEBI ?
As @amit0 asked , Can you please show us , where does it say its mandatory to implement TOTP?
Are you securing API users from themselves ? Please help me understand the risk.
And for data as add on you charge another 2000. Just give me one reason why shouldn't we store tick data in our personal database . Are we not supposed to be smart enough ?
PIN or any sort of secondary password that the user enters from memory is not actual 2FA and does not mean SEBI's definition of 2FA.
Let SEBI take any action on their definition . Let SEBI say the same . Let SEBI elaborate the definition in more correct way .
Why you guys are in so much hurry. specially when it will do more harm than good to the user.
1. No OTM options buy
2. Charging 2000 per month, even when i m generating lakhs of brokerage for them.
3. Additional overhead in token generation because of TOTP.
I understand that sooner or later it will be made mandatory, but let that time come, it could be 1 or 2 years, atleast our life will be easy till then. Why necessary trouble us when our returns are already impacted heavily because of margin rules.
Please make it optional. Whoever wants additional security can opt for that.
Can you please help us understand what kind of cyber security related issue you have faced with Kite connect API and How this TOTP help to stop it?
I looked into this further and its very easy to programatically generate TOTP. If time permits I will write a post on how to do it, but as all of us are devs here, just check below pointers.
1. When you enable TOTP, zerodha shows you a QR code. QR holds a key (you can copy that by clicking link below it).
2. Use that key and system time to generate TOTP. You can use this key / QR code and add account to any authenticator app as well.
3. You can use various libraries like https://www.npmjs.com/package/totp-generator or https://github.com/jiangts/JS-OTP) to create OTP. Just supply the key you got from step 2.
So its not so difficult to automate login.
If I unable TOTP from kite , Will I be able to generate access token using PIN. I am talking about before 1st October
totp = pyotp.TOTP('YOUR_SECRETKEY_GOES_HERE')
totp.now() # => '492039' use the output for getting access token
Please refer https://pyauth.github.io/pyotp/ for more details
I hope Zerodha doesn't mandate PHYSICAL Token soon
Maybe internally you can hash the previous token and continue your processes, but flush the user token so we can generate a new one earlier? In short I'm proposing a new internal token you use for whatever processes you have which require it (I don't know why it should be used - but whatever the reasons it solves your purpose) and the user token can be flushed.
What is the secret key here ? key under QR code or API secret key ?
What need to passed under KiteInstance.GenerateSession
KiteInstance = new Kite(MyAPIKey, Debug: true);
//var bytes = System.Text.Encoding.UTF8.GetBytes(MySecret);
//var totp = new Totp(bytes);
//var otp = totp.ComputeTotp();
User user = KiteInstance.GenerateSession(AccessTokenTextBox.Text, MySecret);
MyAccessToken = user.AccessToken;
a. I understand that order placement will be rejected
b. But please confirm that other read-only api's like ltp, quote will still work.
Just a question out of curiosity
Question: How will Zerodha handle the trades that are currently protected via TOTP?
The use of TOTP to safeguard against suspicious trades was a helpful feature. With this change there is no protection against such trades.
Please postpone the date. Provide some time to user to update the code.
"IMPORTANT: Once TOTP is setup, you have to use the same mobile authenticator app to generate a new 6-digit TOTP every time you login."
I have one doubt here, I can use same authenticator app in different devices to login right?
Trust me it's as seamless as without, with the added peace of having another layer of security.
I have the Authy app on 2 devices for token generation, just in case.
Congrats to Zerodha team for implementing this well.
Consider this please. I am an "almost blind" person, and I got my API system developed because I was having major problems using kite apps and website to place order.
Its an issue with every broker in India. The apps and websites are difficult to use by blind or almost blind people.
Everything was ok with API, I could trade using my own "simpler" platform, built specifically for me.
Everything works with my screen reader on my simpler platform, no problems.
Now you are implementing this 2FA system, which requires me to use a third party app on smart phones to get a code daily, and use that code to login within 30 seconds.
Is that right?
It will take me over a minute to even open the app, let alone read the code using accessibility technology of the phone...
By that time, the login flow has expired, am I right?
So I need to find someone everyday who can help me login to zerodha, "daily"...
Why is India so inconsiderate and insensitive towards blind people?
SEBI has no idea that even blind people are trading?
I am sincerely asking and requesting, please keep this optional.
Please do not make it manditory.
Anyone who requires higher security, they can opt for the system, or else, let the user be responsible for their API and account security.
No need for you to take the responsibility and implement password layer over layer over layer over layer in the name of security.
I will happily take the responsibility of securing my API and account, no problem.
Can you please give me a direct line of communication with SEBI?
I will take up this issue with them as well.
If I give you a written complaint as zerodha user, can you forward it to SEBI, asking them to consider?
It will have more impact on SEBI if the request goes through you, instead of me as individual...
Its really sad to see how insensitive decision makers are in India, specially when it comes to accessibility...
ZERO idea of our problems.
Again, sincerely asking, please please reconsider this decision.
It will make things a lot lot difficult for people like me.
Please reconsider this.
Honest, it will make so much problem for people like me...
You have no idea...
We understand the situation and can sympathise with your plight. However, we can't make an exception to complying with SEBI rules. SEBI is going to mandate 2FA for all the platforms across the brokers soon.
That's the whole point. If SEBI is the dictator, then as service providers you must make them aware of situations of your customers, people like me.
I am sure that I am not the only blind person in your client list.
There must be many more.
I was hoping that zerodha will stand with us customers, and will tell SEBI what the problem is in implementing 2FA.
But you are giving me a straight "NO" as answer...
SEBI wants to implement 2FA, sure go ahead.
But also give disabled people an alternative.
Where is that alternative?
Its not there because you are not willing to tell SEBI that an alternative is "needed" and a "must needed".
Do you see my point now?
Every website in USA like countries is supposed to have an alternate system for disabled people, so that "functionality" is accessible to "everyone".
But here, you are directly saying, "NO".
And that too in the core login process...
At least make SEBI aware of the situation, and tell them that PWD customers are asking for an alternative.
LAWS are not coming down from sky. We are making them. We can change them too...
But there has to be a will to make the change in the law...
Simply refusing is not the answer to the problem...
so SEBI has not mandated yet. and you are assuming that SEBI will ask brokers to implement TOTP.what if SEBI whats something else, not TOTP? no where in the circular mentioned about TOTP
Zerodha is known to be customer centric. Should try raising this point with SEBI for PWD customers. You can also conduct an internal survey of Zerodha PWD customers to first get an idea about UX of these customers post TOTP changes.
My friend, please convey my message to SEBI.
All I am asking is an "alterrnative" for PWD, people with Disability.
That is all I am asking.
A simple alternative.
I am not asking to take back the rule of 2FA.
Just a request, to provide an altenative.
That's all I am asking.
I am "HONESTLY" hoping that zerodha will stand with us customers.
I have been told that zerodha is known to stand with customers.
This is my reason for hope.
See, please please try to understand the situation from our side.
Let me explain, read this below, its important.
You have website and app, which we blind people find very very difficult to use.
We did "not" complained.
We found an API alternative from "you only" which allowed us to build our own trading system.
We spent money and got this thing coded for ourselves.
We pay 2000 extra every month to get this API system running.
No problem at all.
We were happy that zerodha provided this.
We thanked you.
Then "you or SEBI" comes up with a new "idea" that makes the alternative itself impossible to use, for us...
And you provided no "new alternative" which we disabled people can use...
Please tell me that you understande what is happening here...
Kindly tell me that you understand...
You know, its not just handicaps with visual problems like me, but there are hundreds who have cerebal problems which restricts their limb movement, and many others with one hand, etc...
Imagine a 30 second validation process for them...
With "one hand", they open a third party app, copy or memorize the code, then come back to zerodha to login, only to find out that the code has expired in 30 seconds...
Do you see the problem?
Same problem with me blind people. We use "talk back (android)" or "voice over (iphone)" inbuilt utilities to read everything on the screen.
This takes time. We "double click everything", and the voice feedback itself takes time.
And you and SEBI are "assuming" that 30 seconds is enough, including webpage load/serverConnect time...
Please make SEBI aware of the situation...
They are a govt organization.
They must consider "EVERYONE", not just "MAJORITY".
Physically disabled, PWD people like me must also be considered when making "major decisions" like these.
No orders placed for me today.
I logged in using normal old process.
But no orders placed.
My friend, do you know why all this is happening?
Because some very very "stupid" people are not able to keep their "main password" secret.
Some foolish people are "announcing" their passwords on loudspeakers in mandirs and masjids and phones, and whoever is asking them, they are telling.
This is why all of us are suffering...
To protect these foolish people, you, SEBI, internet community is coming up with new new rules daily.
This authentication, that authentication, etc etc, all to protect these fools who tell their main password to anyone...
Put in your terms and conditions, that nobody is supposed to tell their main password to anyone, and you are not legally responsible anymore.
This is all you need legally.