The current process of typing your entire password + looking up TOTP/2FA code from mobile is very cumbersome.
This is also made extra annoying by the fact that Kite logs you out every time you close the browser, and not just at the end of the day like other brokers. So if I login to the website in the morning, close the browser and come back later, I have to do this whole login process again.
Please consider implementing any of the following.
- Scan a QR code shown on Kite web, using Kite mobile
- Dhan uses this and it is very convenient.
- Satisfies 2FA since you used 2FA’d to login to Kite mobile
- Lock with a PIN instead of logging users out every time they close the browser.
- Users can set a PIN and login instead of TOTP code.
- Same security level as fingerprint being used for 2FA.
- Groww implements this.
- Fingerprint on desktop
- With advancements in authentication with protocols such as WebAuth, it is possible to securely store credentials on desktop too, exactly like it is stored on Android.
- This is the most convenient. You can just give your fingerprint on desktop and it will login like mobile.
- Zerodha could be the first broker to implement this.
I have already created a ticket for this almost a year ago and they said they would forward the feedback to developers but there haven’t really been any fixes or replies to address/close this over the past year. I decided to create a topic so other members of the community can give their feedback if they face the same issues.
1 Like
Hi,
There are a couple of reasons why we didn’t use this approach.
- Log in to the web here is by using just one factor, and it is not in line with the circular released by the exchanges.
- There are chances where phishing websites can be set up where the QR code can be mimicked, resulting in a security issue for the client.
Password and PIN are both knowledge factors, and the circular specifically mandates that a possession factor be used as a second factor; hence, we won’t be able to use this approach.
The number of folks who will use this would be very low currently, but we will explore this.
Also, someone has posted a solution for multiple accounts here. The same approach can help for managing single account as well. Check if this post helps.
1 Like
Hey @Shravan_B_K , thanks for the reply
Log in to the web here is by using just one factor
You have to scan the QR with Kite mobile app. You’ve already logged into Kite mobile, meaning you have satisfied the security criteria since you’re logged into the app and can use it fully.
There are chances where phishing websites can be set up where the QR code can be mimicked
This is not any different from them mimicking Zerodha’s normal sign-in site.
Zerodha can label the button itself as “Login to Kite Web” to avoid any confusion. There can be a confirmation button too. ICICI securities and Dhan both have implemented this so it is not some new/risky/exciting technology in Indian markets.
If you open the Kite app, scan a QR using the same app and then expect something that is not being signed into Zerodha to happen then I think the same person would fall for a fake login site too. This is just my personal opinion and the Zerodha security team can differ.
The number of folks who will use this would be very low currently, but we will explore this.
Lot of people have a fingerprint reader on desktop, but yeah web auth penetration is low due to sites not using them. Google has started heavily encouraging users to enable this so Zerodha will not be the first or the largest. Kindly discuss it internally since it’s the best.
Password and PIN are both knowledge factors
I meant this in a way such that PIN is used instead of logging people out in the same day. I know that we have to login every day, but logging in multiple times the same day is tedious and not a threat model the average user faces.
a solution for multiple accounts
Thank you, but I do not use multiple accounts. I have to login multiple times in the same day on my only account, that was the problem I faced. I use browser profiles and password managers (religiously) so remembering passwords is not an issue. The process is tedious.
On a side note, what does Zerodha consider as knowledge factor when I am signing in on mobile? I am only giving my fingerprint. Are you guys considering the fact that I entered my password when I logged in initially on mobile (weeks or months ago) as knowledge factor?