The circular states that “members shall use biometric authentication as one of the authentication factors for logging on to their demat accounts”. The second could be a “knowledge factor” – something that only the user knows, such as a Password or pin; Or a “possession factor” – something that only the user has access to, such as a one-time password (OTP), security token or authenticator app on a smartphone or desktop. Customers should receive OTP both through email and SMS. In cases where biometric authentication is not possible, the circular requires the members to use the Knowledge Factor (Password/PIN), Possession Factor (OTP/Security Token) and User ID.
Puneet Maheshwari, Director, Online Stock Trading Platform Upstox says, “Most stock brokers complying with an authentication factor other than the password (such as using a . ) pinHowever, both these factors (i.e., Password and PIN) were knowledge factors and cannot be called two separate factors for authentication, as mandated by the circular. With the latest circular, the exchanges (NSE and BSE) have reiterated SEBI’s December 3, 2018 circular on Cyber ​​Security and Cyber ​​Resilience Framework, which provides for such discrimination in authentication factors. Via the circular, the exchange has now made such 2FA mandatory for login purposes with effect from September 30, 2022.”
Online stockbroker Zerodha said on its website, “As per the new exchange rules, it is mandatory to enable TOTP 2Factor login in your account before 30th September 2022, failing which, you will not be logged in to Kite (its in-house online). trading platform).”
TOTP stands for Time-Based One-Time Password. Unlike a traditional OTP that is delivered to you via email or SMS, a TOTP is generated by a TOTP app that is already on your phone. Zerodha said this TOTP is only valid for a short period – usually 30 seconds – and is regenerated every 30 seconds.
How to Enable Two-Factor Authentication in Demat Accounts
As per the circular, biometric authentication will be done using Password/PIN or OTP/Security Token. However, where biometric authentication is not possible, login to demat accounts should be permitted using a combination of password/PIN with OTP/Security Token.
Maheshwari says, “Since biometric authentication for login to demat accounts may not be possible every time, especially in desktop login, it is likely that stockbrokers may use both password and OTP to enable login for clients ” Must check with your stockbroker for the method they use to log in from 1st October demat account,
According to Zerodha, to get TOTP, a person needs to download one of the following apps on their PC or mobile phone:
a) Google Authenticator
b) Microsoft Authenticator
c) auty
d) Final Pass Authenticator
e) Bitwarden
Upstox users will have to enter OTP and PIN. Biometrics will be used along with OTP or PIN in case of mobile login.