Holders of demat accounts may not be able to log in to their accounts if they do not enable two-factor authentication by 30 September 2022, according to a 14th June circular issued by the National Stock Exchange (NSE).
The circular says that "members shall preferably use biometric authentication" as one of the authentication factors to log on to their demat accounts. The other can be a "knowledge factor" - something only the user knows, like a password or PIN; or a "possession factor" - something only the user has access to, like a one-time password (OTP), security token or authenticator apps on smartphones or desktops. Clients should get the OTP through both email and SMS. In cases where biometric authentication is not possible, the circular mandates, members would have to use a knowledge factor (password/PIN), a possession factor (OTP/security token) and the user ID.
Most stockbrokers are following a second authentication factor other than password (such as using a PIN). However, both these factors (i.e., password and PIN) were knowledge factors and cannot be called two different factors for authentication, as mandated by the circular. With the latest circular, the exchanges (NSE and BSE) have reiterated the SEBI's December 3, 2018, circular on cyber security and cyber resilience framework, which provides for such differentiation in authentication factors. Through the circular, the exchange has now mandated such 2FA for login purposes from 30 September 2022.
Online stockbroker Zerodha said on its website, "As per new exchange regulations, it is mandatory to enable TOTP 2Factor login on your account before 30 September 2022, failing which, you will not be able to log in to Kite (its in-house online trading platform)."
TOTP stands for time-based one-time password. Unlike a traditional OTP that is delivered to you via email or SMS, a TOTP is generated by a TOTP app that is already on your phone. This TOTP is valid only for a short duration - usually 30 seconds - and is regenerated every 30 seconds, said Zerodha.
How to enable two-factor authentication in demat accounts
According to the circular, biometric authentication would be used either with a password/PIN or an OTP/security token. However, where biometric authentication is not possible, then the login to demat accounts must be allowed using a combination of password/pin with OTP/security token.