Starting October 3, 2021, order placements via the Kite Connect API will require the respective accounts to have enabled 2FA TOTP. This does not involve any changes to any of the APIs. You just have to enable 2FA TOTP on your Zerodha account with which you login to Kite Connect. Without this, orders will not go through.
This is in line with the SEBI Cyber Security regulations and the increased cyber security threat levels in recent times. Moreover, the entire industry may move to mandatory physical 2FA for all logins in the near future.
Why now? Huge rise cases in cyber security incidents. Every trading platform, API or not, is mandated to have 2FA like the circular says. We already enforce it for certain kinds of trades based on risk. SEBI is aware that the industry at large does not implement 2FA according to the original guidelines and there are indications that it will be enforced soon. When we mandated TOTP for risky trades, phishing and fraud complaints that were a regular feature went down to practically zero. Industry-wide 2FA will significantly reduce fraud and other unregulated activities.
While this increases the security of your account, please ensure that you never share your login IDs, passwords, PINs, API keys, secrets, or any other sensitive information on GitHub or other public forums or with other individuals.
Enter the TOTP from phone app(?) such as Google Authenticator
Then get to fire off orders(?)
1- Is the TOTP required once through the session or multiple times? 2- How does this make any sense for someone who has multiple API's running example: HUF account and Individual account? 3- Why would zerodha implement this without it being mandatory from SEBI.
There is no workflow where someone can do this for multiple accounts such as: Individual, HUF account, Corporate account.
Trying to wrap my head around this and it doesn't make any sense, globally API access is optionally controlled by TOTP/App authentication. Making TOTP mandatory to fire off orders defeats the purpose of an API.
Kite connect is suppose to support programmatic access. Do we have to do just once each day or for each trade? For how long the token is valid? Is there documentation on Kite connect with details on how to make this work?
does that mean, i will not be able to get access token or i will get invalid access token if i will use current way (PIN based two factor auth)
You'll still get an access token, @ZL4353 . Your orders won't go through though. They'll be rejected and the response will have a message asking you to set TOTP up.
This will go live on October third, which is a Monday. You'll have time until then. However, since there's no change to the APIs, all you need to do is set up TOTP for the account, which can be done at any time.
How is this an experiment of any kind? We're simply adding a layer of security to the account. The APIs remain unchanged. All you need to do is set up TOTP. We could also consider taking this live after markets on Friday, giving you time to test over the weekend.
@Matti if my algo generate a token after authentication using TOTP in the morning will that token be valid just like how it works now ? All other api calls will work fine. Right ?
It doesn't make any sense charging 2000 rupees in the name of "APIs" while nothing can be automated without hacks with the APIs. A simple auth flow now requires manual input. You guys should seriously consider the pricing of the APIs as with all these manual steps + removed features(BO.. etc). + frequent failures during heavy load, there isnt much value your API sub is giving.
Sad announcement for KiteConnect users. How can we compete with prop desks, HFT & hedge funds if we get entangled in these basic auth requirements everyday. Not a level playing field. I agree KiteConnect monthly fees should come down.
@Matti - Can you at least advance the token flush time to 12:00 am or 1:00 am for a trading day so that manual login can be done previous night itself and we can generate access tokens for the day quite early.
Otherwise we have to time ourselves daily to be awake between 7:30 am to 9:15 am to generate new access tokens.
No other broker has made this mandatory, disappointed with this change, making algo traders life more difficult. Forcing me to try fyers api which is free of cost as well.
Can we test this feature before 3rd Oct by enabling totp.
I hope this mandatory check of TOTP for each order doesn't add delay to order placement. Already market is struggling with liquidity issues; do not want order placement to be delayed.
The circular is dated Dec 03, 2018. Any specific reason why did Kite woke up today to implement after ~3 years?
For everybody's awareness can you please point out exact section from Sebi circular which mandates API users to use TOTP? The only section I could find which asks for multi-factor authentication is under annexure.
In case of IBTs and SWSTs, a minimum of two-factors in the authentication flow are mandatory
Today for Kite login, password and PIN are compulsory. So Kite already mandates multiple factors for login today and is MFA compliant. I do not understand why you need to discard PIN and mandate TOTP. Let the users decide which MFA they wish to use!
@Matti - How Do I setup multiple phones with Google Authenticator? I don't have personal account with Zerodha instead I have corporate account in my firm's name and there are multiple persons handling the account. 2FA is clearly restricting access to even login to kite without having access to a phone which is attached to Zerodha 2FA. We surely need multiple phones.
@gaurmmec - You are right, I do have an account with AliceBlue too and they offer free API and they don't have this TOTP/2FA. Zerodha is making life difficult first introducing only one login at a time (if you try to login at other desktop, it logs you out from first one) and now making 2FA compulsory. Important thing is when you talk to Zerodha support they says it's SEBI requirement however I don't see any other broker requires it.
This will impact heavily for people who are managing corporate accounts where multiple people can login to single account, and people who are managing family members accounts on their behalf, as login would require real time otp which is not possible in these cases.
@Matti Kindly think if rollback is possible if none of the other brokers has mandated or think of the way if token generation possible without totp
Margin rules, freak trades ,now this totp - traders life is becoming tougher and tougher.
I hope this mandatory check of TOTP for each order doesn't add delay to order placement.
It's not required for every order. It's just a minor change in login flow(only) to enable TOTP instead of PIN in 2Factor, to get request_token post successful login. You can use the same request token to generate access token, use it for all further requests(like earlier). Nothing changes, while making API calls.
Forcing me to try fyers api which is free of cost as well. AliceBlue don't have this TOTP/2FA
The above circular from SEBI has to be implemented on all trading platforms. So, soon or later it will be coming on all trading platforms irrespective. Every trading platform, API or not, is mandated to have 2FA like the circular says. We already enforce it for certain kinds of trades based on risk. SEBI is aware that the industry at large does not implement 2FA according to the original guidelines and there are indications that it will be enforced soon.
@whity, Sooner or later every broker and every platform will enforce TOTP, there are already indications internally (among regulators and other stakeholders) as mentioned above.
This is pathetic. Why hurry to implement a regressive circular by SEBI when others are not doing it? Using selenium web driver earlier it was possible to fully automate login. Now its not possible. Why make life miserable for retailers while giving all the exceptions to platforms like sensibull???
Why can't you guys wait until SEBI specifically asked for TOTP based 2FA and ever other broker/organization implement this instead of only Zerodha . You said these enforcement may come from SEBI but Its also mean that it may not come from SEBI OR SEBI allows Pin based 2FA which will not require any changes in current system
1) API users have created automated system only because they don't want to do any manual task and run their system (place order and do trading) even when they are on their vacation or doing something important. We may be at any remote location where there is no internet but by making our system completely automated and putting it on cloud machine we are ensuring that it is working independently of human intervention
2) It is not possible to run our system on All Trading days by manually enter TOTP and this will lead to data loss . Every Algo uses historical data and since you already stop the support for Pi and you are charging another 2000rs for historical data API , running our automated system on all trading days in order to collect data is our only way around here .
3) Also people are using these Algo for multiple account and it is not possible to get otp from each and every mobile cos not all account holders are in one city
These are the reasons we are paying you guys 2000/Rs monthly even when we are at loss in our trading.
Don't you think as loyal customer of zerodha we deserve better. shouldn't you consider us in mind while implementing something new and give a thought that how it can affect our work and our business. People using your API, will have problems with this new mandatory action by zerodha. Please give this a second thought.
@Matti There is a performance dip in order placement via Kite Connect API. Normal order placement is taking around 3-4 secs. Did your team implement this functionality and could this be the reason behind performance issues ? This is impacting my trade in a big way. Please look into this. Please note that Kiteweb works fine.
@Matti Can you refer to Annexure C and help me understand where does it say its mandatory to implement TOTP?
Please note #2 first part recommends using of 2FA, second part says 2FA is mandatory for IBTs but it doesn't say that 2FA has to be TOTP. PIN should be ok.
Why can't you guys wait until SEBI specifically asked for TOTP based 2FA and ever other broker/organization implement this instead of only Zerodha . You said these enforcement may come from SEBI but Its also mean that it may not come from SEBI OR SEBI allows Pin based 2FA which will not require any changes in current system
Because we have been asked questions by regulators about what we are doing to secure our users' accounts and to take additional steps when it comes to the APIs.
1) API users have created automated system only because they don't want to do any manual task and run their system (place order and do trading) even when they are on their vacation or doing something important. We may be at any remote location where there is no internet but by making our system completely automated and putting it on cloud machine we are ensuring that it is working independently of human intervention
As @whity just said, this was never allowed to begin with. If you were doing it, you were in violation of the terms of use of the APIs.
2) It is not possible to run our system on All Trading days by manually enter TOTP and this will lead to data loss . Every Algo uses historical data and since you already stop the support for Pi and you are charging another 2000rs for historical data API , running our automated system on all trading days in order to collect data is our only way around here .
Kite Connect is a suite of order execution APIs, not a data vending product.
3) Also people are using these Algo for multiple account and it is not possible to get otp from each and every mobile cos not all account holders are in one city
People are supposed to have access to only their own accounts. We can't really look at means to facilitate some users accessing accounts for other users.
@Matti There is a performance dip in order placement via Kite Connect API. Normal order placement is taking around 3-4 secs. Did your team implement this functionality and could this be the reason behind performance issues ? This is impacting my trade in a big way. Please look into this. Please note that Kiteweb works fine.
No, this hasn't gone live yet, nor will it be live until October. Nothing has changed on our end.
Kite Connect is a suite of order execution APIs, not a data vending product.
@Matti In my opinion , people use API to create algorithm and for algorithm to run correctly , It needs data please suggest me if you have any other way where any algorithm can take decision of buying and selling without data . If API provided by you guys should only use for order execution then why shouldn't we use kite website or mobile app to place order. Why would anyone use API only to place orders.
@neerleo88, We have always informed, the historical data API is provided for backtesting purposes only. We recommend you to generate candles at your end using Websocket API data.
Because we have been asked questions by regulators about what we are doing to secure our users' accounts and to take additional steps when it comes to the APIs.
Only Zerodha has been asked by SEBI ? No one else has been asked by SEBI ?
As @amit0 asked , Can you please show us , where does it say its mandatory to implement TOTP?
Are you securing API users from themselves ? Please help me understand the risk.
In my opinion , people use API to create algorithm and for algorithm to run correctly , It needs data please suggest me if you have any other way where any algorithm can take decision of buying and selling without data
This is why we do provide data as an add on. The only reason I even brought up the fact that Kite Connect isn't a data vending product is because you talked about data collection. Changes can't be based on that.
@Matti And for data as add on you charge another 2000. Just give me one reason why shouldn't we store tick data in our personal database . Are we not supposed to be smart enough ?
While we understand the inconvenience, this is decision is based on updated risk and cyber security assessments. As we have already mentioned above, 2FA is mandated by SEBI for all platforms (that most platforms don't offer it is a different matter). We are working towards enabling 2FA for not just API but all platforms in the near future. This very likely will happen industrywide soon too.
PIN or any sort of secondary password that the user enters from memory is not actual 2FA and does not mean SEBI's definition of 2FA.
@Matti - Can you at least advance the token flush time to 12:00 am or 1:00 am for a trading day so that manual login can be done previous night itself and we can generate access tokens for the day quite early.
Otherwise we have to time ourselves daily to be awake between 7:30 am to 9:15 am to generate new access tokens.
PIN or any sort of secondary password that the user enters from memory is not actual 2FA and does not mean SEBI's definition of 2FA. @Matti Let SEBI take any action on their definition . Let SEBI say the same . Let SEBI elaborate the definition in more correct way . Why you guys are in so much hurry. specially when it will do more harm than good to the user.
And for data as add on you charge another 2000. Just give me one reason why shouldn't we store tick data in our personal database . Are we not supposed to be smart enough ?
I am not saying any of that. I simply said policy decisions cannot be based on these considerations. This is a security policy and has nothing to do with data.
@mlearner Was checking this internally. Unfortunately, the token flush times are timed to follow a large number of end of the day processes and cannot be moved.
While i am a loyal user of zerodha API because of its stability, now some of the below mentioned reasons dragging me away for alternatives:
1. No OTM options buy
2. Charging 2000 per month, even when i m generating lakhs of brokerage for them.
3. Additional overhead in token generation because of TOTP.
I understand that sooner or later it will be made mandatory, but let that time come, it could be 1 or 2 years, atleast our life will be easy till then. Why necessary trouble us when our returns are already impacted heavily because of margin rules.
@Matti Let SEBI take any action on their definition . Let SEBI say the same . Let SEBI elaborate the definition in more correct way . Why you guys are in so much hurry. specially when it will do more harm than good to the user.
Can you please respond on that and provide us the reason behind this urgent need
@neerleo88 this was always available as an optional feature. The change is that we're mandating it now, and perhaps soon for all other platforms as well.
I looked into this further and its very easy to programatically generate TOTP. If time permits I will write a post on how to do it, but as all of us are devs here, just check below pointers.
1. When you enable TOTP, zerodha shows you a QR code. QR holds a key (you can copy that by clicking link below it). 2. Use that key and system time to generate TOTP. You can use this key / QR code and add account to any authenticator app as well. 3. You can use various libraries like https://www.npmjs.com/package/totp-generator or https://github.com/jiangts/JS-OTP) to create OTP. Just supply the key you got from step 2.
@Matti - Just a question - can you please take up the token flushing at midnight as a feature in your jira / PM tasklist? I did see your comment that a lot of things happen before you can flush it (I'm assuming including calculating funds in the account). However, I assume the token is only accessible by the user and not by Zerodha - so flushing really shouldn't have an impact on your systems.
Maybe internally you can hash the previous token and continue your processes, but flush the user token so we can generate a new one earlier? In short I'm proposing a new internal token you use for whatever processes you have which require it (I don't know why it should be used - but whatever the reasons it solves your purpose) and the user token can be flushed.
Can you please share the steps in kite connect for this. What is the secret key here ? key under QR code or API secret key ? What need to passed under KiteInstance.GenerateSession
KiteInstance = new Kite(MyAPIKey, Debug: true); KiteInstance.SetSessionExpiryHook(OnTokenExpire);
//TOTP //var bytes = System.Text.Encoding.UTF8.GetBytes(MySecret); //var totp = new Totp(bytes); //var otp = totp.ComputeTotp(); User user = KiteInstance.GenerateSession(AccessTokenTextBox.Text, MySecret); MyAccessToken = user.AccessToken; KiteInstance.SetAccessToken(MyAccessToken);
@Matti Its strange to see that these rules don't apply to kite mobile app? I can enable fingerprint access and then don't need TOTP verification every-time I login? Care to explain the rationale?
By Oct-3, If TOTP is not set, and I am still using old method of entering PIN: a. I understand that order placement will be rejected b. But please confirm that other read-only api's like ltp, quote will still work. Just a question out of curiosity
@Matti Question: How will Zerodha handle the trades that are currently protected via TOTP? The use of TOTP to safeguard against suspicious trades was a helpful feature. With this change there is no protection against such trades. _______________________________________________________________________________________
IMO:
This enforcement is just bullshit. Either the real reason is something else or SEBI folks are dumb-nuts
This does not stop a hacker/fraudster from abusing my account if they already have my password and pin.
Developers will always find a way around it (one way already discussed here). (just creates unnecessary work for no benefit). Trying to stop them from fully automating stuff is everyone's waste of time and resources. SEBI/You should accept that fact.
A little more effective way to "increase security" would be to use OTP via SMS. It may safeguard against hackers/fraudsters to some extent but has different set of challenges attached to it. (and developers will get around this as well: if the intention is to stop them from automating stuff)
Zerodha should first update the documentation then announcement should be made. Please postpone the date. Provide some time to user to update the code.
@narayanan, as I say in my original post making the announcement, this does not involve any changes to the APIs and does not require any changes to your code. You simply need to enable TOTP on your Zerodha account. Functionally, the APIs remain unchanged.
@matti, @rakeshr "IMPORTANT: Once TOTP is setup, you have to use the same mobile authenticator app to generate a new 6-digit TOTP every time you login."
I have one doubt here, I can use same authenticator app in different devices to login right?
For TOTP authentication, you could use this, it is an implementation go Google Authenticator. I am using it and it is working perfectly well using selenium.
I've been using Authy based TOTP authentication for last 5-6 months for API access. Trust me it's as seamless as without, with the added peace of having another layer of security. I have the Authy app on 2 devices for token generation, just in case.
Congrats to Zerodha team for implementing this well.
Hi, Consider this please. I am an "almost blind" person, and I got my API system developed because I was having major problems using kite apps and website to place order. Its an issue with every broker in India. The apps and websites are difficult to use by blind or almost blind people. Everything was ok with API, I could trade using my own "simpler" platform, built specifically for me. Everything works with my screen reader on my simpler platform, no problems.
Now you are implementing this 2FA system, which requires me to use a third party app on smart phones to get a code daily, and use that code to login within 30 seconds. Is that right?
It will take me over a minute to even open the app, let alone read the code using accessibility technology of the phone... By that time, the login flow has expired, am I right?
So I need to find someone everyday who can help me login to zerodha, "daily"...
Why is India so inconsiderate and insensitive towards blind people? SEBI has no idea that even blind people are trading?
I am sincerely asking and requesting, please keep this optional. Please do not make it manditory. Anyone who requires higher security, they can opt for the system, or else, let the user be responsible for their API and account security.
You can update your terms of use and make us accept the terms, and let the user be responsible for the security. No need for you to take the responsibility and implement password layer over layer over layer over layer in the name of security. I will happily take the responsibility of securing my API and account, no problem.
Can you please give me a direct line of communication with SEBI? I will take up this issue with them as well. If I give you a written complaint as zerodha user, can you forward it to SEBI, asking them to consider? It will have more impact on SEBI if the request goes through you, instead of me as individual...
Its really sad to see how insensitive decision makers are in India, specially when it comes to accessibility... ZERO idea of our problems. Totally zero.
Again, sincerely asking, please please reconsider this decision. It will make things a lot lot difficult for people like me.
Please reconsider this. Honest, it will make so much problem for people like me... You have no idea... Thanks
Can someone be kind enough to give me details on how to setup this "google authenticator" app on my android phone, and then how to connect it to zerodha... Thanks
Hi @JeetKumar We understand the situation and can sympathise with your plight. However, we can't make an exception to complying with SEBI rules. SEBI is going to mandate 2FA for all the platforms across the brokers soon.
@Matti That's the whole point. If SEBI is the dictator, then as service providers you must make them aware of situations of your customers, people like me. I am sure that I am not the only blind person in your client list. There must be many more.
I was hoping that zerodha will stand with us customers, and will tell SEBI what the problem is in implementing 2FA. But you are giving me a straight "NO" as answer...
SEBI wants to implement 2FA, sure go ahead. But also give disabled people an alternative. Where is that alternative?
Its not there because you are not willing to tell SEBI that an alternative is "needed" and a "must needed". Do you see my point now?
Every website in USA like countries is supposed to have an alternate system for disabled people, so that "functionality" is accessible to "everyone". But here, you are directly saying, "NO". And that too in the core login process...
At least make SEBI aware of the situation, and tell them that PWD customers are asking for an alternative. LAWS are not coming down from sky. We are making them. We can change them too... But there has to be a will to make the change in the law...
Simply refusing is not the answer to the problem...
@JeetKumar Sir, you are talking about removing this 2 fa. Sebi implemented stupid margin rules,no broker said anything. How do you expect anyone will say anything against 2 fa! Better, just learn to adapt. Use the tools i told you. You can still automate the login process.
Hi @JeetKumar We understand the situation and can sympathise with your plight. However, we can't make an exception to complying with SEBI rules. SEBI is going to mandate 2FA for all the across the brokers soon.
@matti so SEBI has not mandated yet. and you are assuming that SEBI will ask brokers to implement TOTP.what if SEBI whats something else, not TOTP? no where in the circular mentioned about TOTP
@Matti i enable 2fa in zerodha mobile app, and also re-login through 2fa, but there is no option in zerodha kite developer page to login through 2fa, i demanded only ID and PW, is it normal, do i have to login in developer kite connect page to execute orders through algo and api, or just once a day login in mobile app through 2fa is enought to execute orders...?
There is no option in zerodha kite developer page to login through 2fa, i demanded only ID and PW, is it normal,
Above 2FA TOTP is used for login to your kite account, the kite connect developer page is completely separate(it will continue to be the same as earlier).
do i have to login in developer kite connect page to execute orders through algo and api, or just once a day login in mobile app through 2fa is enought to execute orders...?
You need to go through this documentation to understand the login flow for kite connect APIs.
Zerodha is known to be customer centric. Should try raising this point with SEBI for PWD customers. You can also conduct an internal survey of Zerodha PWD customers to first get an idea about UX of these customers post TOTP changes.
@matti My friend, please convey my message to SEBI. All I am asking is an "alterrnative" for PWD, people with Disability. That is all I am asking. A simple alternative.
I am not asking to take back the rule of 2FA. Just a request, to provide an altenative. That's all I am asking.
I am "HONESTLY" hoping that zerodha will stand with us customers. I have been told that zerodha is known to stand with customers. This is my reason for hope.
See, please please try to understand the situation from our side. Let me explain, read this below, its important. You have website and app, which we blind people find very very difficult to use. We did "not" complained. We found an API alternative from "you only" which allowed us to build our own trading system. We spent money and got this thing coded for ourselves. We pay 2000 extra every month to get this API system running. No problem at all. Absolutely none. We were happy that zerodha provided this. We thanked you.
Then "you or SEBI" comes up with a new "idea" that makes the alternative itself impossible to use, for us... And you provided no "new alternative" which we disabled people can use... Please tell me that you understande what is happening here...
Kindly tell me that you understand...
You know, its not just handicaps with visual problems like me, but there are hundreds who have cerebal problems which restricts their limb movement, and many others with one hand, etc... Imagine a 30 second validation process for them...
With "one hand", they open a third party app, copy or memorize the code, then come back to zerodha to login, only to find out that the code has expired in 30 seconds... Do you see the problem?
Same problem with me blind people. We use "talk back (android)" or "voice over (iphone)" inbuilt utilities to read everything on the screen. This takes time. We "double click everything", and the voice feedback itself takes time. And you and SEBI are "assuming" that 30 seconds is enough, including webpage load/serverConnect time...
Please make SEBI aware of the situation... They are a govt organization. They must consider "EVERYONE", not just "MAJORITY". Physically disabled, PWD people like me must also be considered when making "major decisions" like these.
No orders placed for me today. I logged in using normal old process. API validated. But no orders placed.
My friend, do you know why all this is happening? Core reason? Because some very very "stupid" people are not able to keep their "main password" secret. Some foolish people are "announcing" their passwords on loudspeakers in mandirs and masjids and phones, and whoever is asking them, they are telling. This is why all of us are suffering...
To protect these foolish people, you, SEBI, internet community is coming up with new new rules daily. This authentication, that authentication, etc etc, all to protect these fools who tell their main password to anyone...
Put in your terms and conditions, that nobody is supposed to tell their main password to anyone, and you are not legally responsible anymore. This is all you need legally.
I don't know how Zerodha interpreted SEBI Cyber Security regulations. SEBI has not made Smart phone mandatory. It is purely improper technical approach. Zerodha should rethink its justification. It is much easier to accept this as Zerodha's newly added prerequisite than saying it is in line with the SEBI Cyber Security regulations.
Can you please make it so that we only have to enter this totp only once in 24hrs, at any time, such as in the evening and we can trade in the day. Now we have to enter it before the market opens. I had an automated system that allowed me to work my job at night. Now I have to wake up early every day for this. There is no added security. This is just an unnecessary inconvinence. I'm sure many others feel this way as well
Go to kite login page
Enter ID and password
Enter the TOTP from phone app(?) such as Google Authenticator
Then get to fire off orders(?)
1- Is the TOTP required once through the session or multiple times?
2- How does this make any sense for someone who has multiple API's running example: HUF account and Individual account?
3- Why would zerodha implement this without it being mandatory from SEBI.
There is no workflow where someone can do this for multiple accounts such as: Individual, HUF account, Corporate account.
Trying to wrap my head around this and it doesn't make any sense, globally API access is optionally controlled by TOTP/App authentication. Making TOTP mandatory to fire off orders defeats the purpose of an API.
You'll need the TOTP to login only once per day. Instead of logging in with the PIN in the morning, you use the TOTP.
You'll still get an access token, @ZL4353 . Your orders won't go through though. They'll be rejected and the response will have a message asking you to set TOTP up.
Otherwise we have to time ourselves daily to be awake between 7:30 am to 9:15 am to generate new access tokens.
Can we test this feature before 3rd Oct by enabling totp.
The circular is dated Dec 03, 2018. Any specific reason why did Kite woke up today to implement after ~3 years?
For everybody's awareness can you please point out exact section from Sebi circular which mandates API users to use TOTP? The only section I could find which asks for multi-factor authentication is under annexure. Today for Kite login, password and PIN are compulsory. So Kite already mandates multiple factors for login today and is MFA compliant. I do not understand why you need to discard PIN and mandate TOTP. Let the users decide which MFA they wish to use!
@gaurmmec - You are right, I do have an account with AliceBlue too and they offer free API and they don't have this TOTP/2FA. Zerodha is making life difficult first introducing only one login at a time (if you try to login at other desktop, it logs you out from first one) and now making 2FA compulsory. Important thing is when you talk to Zerodha support they says it's SEBI requirement however I don't see any other broker requires it.
@Matti Kindly think if rollback is possible if none of the other brokers has mandated or think of the way if token generation possible without totp
Margin rules, freak trades ,now this totp - traders life is becoming tougher and tougher.
Every trading platform, API or not, is mandated to have 2FA like the circular says. We already enforce it for certain kinds of trades based on risk. SEBI is aware that the industry at large does not implement 2FA according to the original guidelines and there are indications that it will be enforced soon.
Sooner or later every broker and every platform will enforce TOTP, there are already indications internally (among regulators and other stakeholders) as mentioned above.
Why can't you guys wait until SEBI specifically asked for TOTP based 2FA and ever other broker/organization implement this instead of only Zerodha . You said these enforcement may come from SEBI but Its also mean that it may not come from SEBI
OR SEBI allows Pin based 2FA which will not require any changes in current system
1) API users have created automated system only because they don't want to do any manual task and run their system (place order and do trading) even when they are on their vacation or doing something important. We may be at any remote location where there is no internet but by making our system completely automated and putting it on cloud machine we are ensuring that it is working independently of human intervention
2) It is not possible to run our system on All Trading days by manually enter TOTP and this will lead to data loss . Every Algo uses historical data and since you already stop the support for Pi and you are charging another 2000rs for historical data API , running our automated system on all trading days in order to collect data is our only way around here .
3) Also people are using these Algo for multiple account and it is not possible to get otp from each and every mobile cos not all account holders are in one city
These are the reasons we are paying you guys 2000/Rs monthly even when we are at loss in our trading.
Don't you think as loyal customer of zerodha we deserve better. shouldn't you consider us in mind while implementing something new and give a thought that how it can affect our work and our business.
People using your API, will have problems with this new mandatory action by zerodha. Please give this a second thought.
Please note #2 first part recommends using of 2FA, second part says 2FA is mandatory for IBTs but it doesn't say that 2FA has to be TOTP. PIN should be ok.
@Matti
In my opinion , people use API to create algorithm and for algorithm to run correctly , It needs data please suggest me if you have any other way where any algorithm can take decision of buying and selling without data .
If API provided by you guys should only use for order execution then why shouldn't we use kite website or mobile app to place order. Why would anyone use API only to place orders.
We have always informed, the historical data API is provided for backtesting purposes only. We recommend you to generate candles at your end using Websocket API data.
Only Zerodha has been asked by SEBI ? No one else has been asked by SEBI ?
As @amit0 asked , Can you please show us , where does it say its mandatory to implement TOTP?
Are you securing API users from themselves ? Please help me understand the risk.
And for data as add on you charge another 2000. Just give me one reason why shouldn't we store tick data in our personal database . Are we not supposed to be smart enough ?
PIN or any sort of secondary password that the user enters from memory is not actual 2FA and does not mean SEBI's definition of 2FA.
@Matti
Let SEBI take any action on their definition . Let SEBI say the same . Let SEBI elaborate the definition in more correct way .
Why you guys are in so much hurry. specially when it will do more harm than good to the user.
1. No OTM options buy
2. Charging 2000 per month, even when i m generating lakhs of brokerage for them.
3. Additional overhead in token generation because of TOTP.
I understand that sooner or later it will be made mandatory, but let that time come, it could be 1 or 2 years, atleast our life will be easy till then. Why necessary trouble us when our returns are already impacted heavily because of margin rules.
Please make it optional. Whoever wants additional security can opt for that.
Can you please help us understand what kind of cyber security related issue you have faced with Kite connect API and How this TOTP help to stop it?
I looked into this further and its very easy to programatically generate TOTP. If time permits I will write a post on how to do it, but as all of us are devs here, just check below pointers.
1. When you enable TOTP, zerodha shows you a QR code. QR holds a key (you can copy that by clicking link below it).
2. Use that key and system time to generate TOTP. You can use this key / QR code and add account to any authenticator app as well.
3. You can use various libraries like https://www.npmjs.com/package/totp-generator or https://github.com/jiangts/JS-OTP) to create OTP. Just supply the key you got from step 2.
So its not so difficult to automate login.
If I unable TOTP from kite , Will I be able to generate access token using PIN. I am talking about before 1st October
import pyotp
totp = pyotp.TOTP('YOUR_SECRETKEY_GOES_HERE')
totp.now() # => '492039' use the output for getting access token
Please refer https://pyauth.github.io/pyotp/ for more details
I hope Zerodha doesn't mandate PHYSICAL Token soon
Maybe internally you can hash the previous token and continue your processes, but flush the user token so we can generate a new one earlier? In short I'm proposing a new internal token you use for whatever processes you have which require it (I don't know why it should be used - but whatever the reasons it solves your purpose) and the user token can be flushed.
What is the secret key here ? key under QR code or API secret key ?
What need to passed under KiteInstance.GenerateSession
KiteInstance = new Kite(MyAPIKey, Debug: true);
KiteInstance.SetSessionExpiryHook(OnTokenExpire);
//TOTP
//var bytes = System.Text.Encoding.UTF8.GetBytes(MySecret);
//var totp = new Totp(bytes);
//var otp = totp.ComputeTotp();
User user = KiteInstance.GenerateSession(AccessTokenTextBox.Text, MySecret);
MyAccessToken = user.AccessToken;
KiteInstance.SetAccessToken(MyAccessToken);
a. I understand that order placement will be rejected
b. But please confirm that other read-only api's like ltp, quote will still work.
Just a question out of curiosity
Question: How will Zerodha handle the trades that are currently protected via TOTP?
The use of TOTP to safeguard against suspicious trades was a helpful feature. With this change there is no protection against such trades.
_______________________________________________________________________________________
IMO:
Please postpone the date. Provide some time to user to update the code.
"IMPORTANT: Once TOTP is setup, you have to use the same mobile authenticator app to generate a new 6-digit TOTP every time you login."
I have one doubt here, I can use same authenticator app in different devices to login right?
https://www.gojek.io/blog/a-diy-two-factor-authenticator-in-golang
Trust me it's as seamless as without, with the added peace of having another layer of security.
I have the Authy app on 2 devices for token generation, just in case.
Congrats to Zerodha team for implementing this well.
Consider this please. I am an "almost blind" person, and I got my API system developed because I was having major problems using kite apps and website to place order.
Its an issue with every broker in India. The apps and websites are difficult to use by blind or almost blind people.
Everything was ok with API, I could trade using my own "simpler" platform, built specifically for me.
Everything works with my screen reader on my simpler platform, no problems.
Now you are implementing this 2FA system, which requires me to use a third party app on smart phones to get a code daily, and use that code to login within 30 seconds.
Is that right?
It will take me over a minute to even open the app, let alone read the code using accessibility technology of the phone...
By that time, the login flow has expired, am I right?
So I need to find someone everyday who can help me login to zerodha, "daily"...
Why is India so inconsiderate and insensitive towards blind people?
SEBI has no idea that even blind people are trading?
I am sincerely asking and requesting, please keep this optional.
Please do not make it manditory.
Anyone who requires higher security, they can opt for the system, or else, let the user be responsible for their API and account security.
You can update your terms of use and make us accept the terms, and let the user be responsible for the security.
No need for you to take the responsibility and implement password layer over layer over layer over layer in the name of security.
I will happily take the responsibility of securing my API and account, no problem.
Can you please give me a direct line of communication with SEBI?
I will take up this issue with them as well.
If I give you a written complaint as zerodha user, can you forward it to SEBI, asking them to consider?
It will have more impact on SEBI if the request goes through you, instead of me as individual...
Its really sad to see how insensitive decision makers are in India, specially when it comes to accessibility...
ZERO idea of our problems.
Totally zero.
Again, sincerely asking, please please reconsider this decision.
It will make things a lot lot difficult for people like me.
Please reconsider this.
Honest, it will make so much problem for people like me...
You have no idea...
Thanks
We understand the situation and can sympathise with your plight. However, we can't make an exception to complying with SEBI rules. SEBI is going to mandate 2FA for all the platforms across the brokers soon.
That's the whole point. If SEBI is the dictator, then as service providers you must make them aware of situations of your customers, people like me.
I am sure that I am not the only blind person in your client list.
There must be many more.
I was hoping that zerodha will stand with us customers, and will tell SEBI what the problem is in implementing 2FA.
But you are giving me a straight "NO" as answer...
SEBI wants to implement 2FA, sure go ahead.
But also give disabled people an alternative.
Where is that alternative?
Its not there because you are not willing to tell SEBI that an alternative is "needed" and a "must needed".
Do you see my point now?
Every website in USA like countries is supposed to have an alternate system for disabled people, so that "functionality" is accessible to "everyone".
But here, you are directly saying, "NO".
And that too in the core login process...
At least make SEBI aware of the situation, and tell them that PWD customers are asking for an alternative.
LAWS are not coming down from sky. We are making them. We can change them too...
But there has to be a will to make the change in the law...
Simply refusing is not the answer to the problem...
so SEBI has not mandated yet. and you are assuming that SEBI will ask brokers to implement TOTP.what if SEBI whats something else, not TOTP? no where in the circular mentioned about TOTP
Zerodha is known to be customer centric. Should try raising this point with SEBI for PWD customers. You can also conduct an internal survey of Zerodha PWD customers to first get an idea about UX of these customers post TOTP changes.
My friend, please convey my message to SEBI.
All I am asking is an "alterrnative" for PWD, people with Disability.
That is all I am asking.
A simple alternative.
I am not asking to take back the rule of 2FA.
Just a request, to provide an altenative.
That's all I am asking.
I am "HONESTLY" hoping that zerodha will stand with us customers.
I have been told that zerodha is known to stand with customers.
This is my reason for hope.
See, please please try to understand the situation from our side.
Let me explain, read this below, its important.
You have website and app, which we blind people find very very difficult to use.
We did "not" complained.
We found an API alternative from "you only" which allowed us to build our own trading system.
We spent money and got this thing coded for ourselves.
We pay 2000 extra every month to get this API system running.
No problem at all.
Absolutely none.
We were happy that zerodha provided this.
We thanked you.
Then "you or SEBI" comes up with a new "idea" that makes the alternative itself impossible to use, for us...
And you provided no "new alternative" which we disabled people can use...
Please tell me that you understande what is happening here...
Kindly tell me that you understand...
You know, its not just handicaps with visual problems like me, but there are hundreds who have cerebal problems which restricts their limb movement, and many others with one hand, etc...
Imagine a 30 second validation process for them...
With "one hand", they open a third party app, copy or memorize the code, then come back to zerodha to login, only to find out that the code has expired in 30 seconds...
Do you see the problem?
Same problem with me blind people. We use "talk back (android)" or "voice over (iphone)" inbuilt utilities to read everything on the screen.
This takes time. We "double click everything", and the voice feedback itself takes time.
And you and SEBI are "assuming" that 30 seconds is enough, including webpage load/serverConnect time...
Please make SEBI aware of the situation...
They are a govt organization.
They must consider "EVERYONE", not just "MAJORITY".
Physically disabled, PWD people like me must also be considered when making "major decisions" like these.
No orders placed for me today.
I logged in using normal old process.
API validated.
But no orders placed.
My friend, do you know why all this is happening?
Core reason?
Because some very very "stupid" people are not able to keep their "main password" secret.
Some foolish people are "announcing" their passwords on loudspeakers in mandirs and masjids and phones, and whoever is asking them, they are telling.
This is why all of us are suffering...
To protect these foolish people, you, SEBI, internet community is coming up with new new rules daily.
This authentication, that authentication, etc etc, all to protect these fools who tell their main password to anyone...
Put in your terms and conditions, that nobody is supposed to tell their main password to anyone, and you are not legally responsible anymore.
This is all you need legally.