How are Kite app code and external TOTP better than SMS OTP?
SMS is the most commonly used form of Two Factor Authentication (2FA) across industries. However, unlike other industries, SMS as a 2FA in capital markets has the following disadvantages:
- Millions of users log into the trading platform during the market opening and volatile instances, sending tens of thousands of time-sensitive login OTP SMSes per second may result in non-delivery or delayed delivery, preventing a user from logging in and squaring off positions on time.
- As per regulations, users are forcibly logged out of the trading platform at the end of the day and hence are forced to login again each day, exposing them to the risk of SMS non-delivery or delayed delivery.
- Dependency on telecoms to send SMS is a systemic risk to trading platforms where authentication is to be done timely on a large scale.
- SMS is an insecure, non-encrypted, non-cryptographic protocol. The contents of SMS can be accessed off the air using hardware close to the device.
- Sims can be hijacked using simple social engineering attacks like phishing.
The advantages of the Kite app code and TOTP over SMS 2FA are as follows:
- The Kite App Code is cryptographically secure, ensuring only the recipient can view the message.
- The Kite App Code is only valid for 30 seconds, and a new code is generated once the previous code expires.
- TOTPs are behind an additional layer of authentication, like biometrics and can be stored and generated on a hardware device.
- They do not require external network connectivity like an SMS gateway to authenticate.
To learn how to set up external TOTP, see
How to set up Time-based OTP (TOTP) to log in to Kite?