I see you have QR code-based authentication, which is great, but time token-based authentication will also help if anyone is logging in from his computer or TV and somehow doesn’t wish to use app-based authentication. This is useful if a user has two accounts for themselves, say, a spouse or a corporation. Some do think token-based is risky not sure your view on it, but everyone like Googler to Microsoft use it, and you will save some money in email and SMS notifications, as that what i get today if i don’t use QR code
1 Like
Yes, this has been requested many times in the past but the Dhan team believes SMS as the OTP on mobile is more secure than TOTP.
Many people would prefer a mobile-free trading experience and for that TOTP is a way to support that. Mobiles are a distraction but that could be a limited use case.
@PravinJ I am not an expert, but as per multiple studies and articles, including ones of Google and Apple, they claim TOTP is safer. I know users can write codes to automate that, so can be done with SMS using ITTT or any automation tool. Its your choice, but TOTP is really better from a user perspective, as they don’t have to wait for it and also for Dhan as it reduces their cost.
I agree 100% with you. TOTP is very user-friendly, plus less costs and don’t have to depend on mobile to trade.
Hi @manikwalia We want to ensure that trading accounts continue to be safe. We are aware of procedures to skip TOTP via automation just as you mentioned which leads to accounts operated on behalf of others. That aside, without naming anyone particular I am also aware that some of broking platforms remained unaccessible to its users when third party logins and authentication platforms have been down in market hours.
Dhan was first to bring in QR based login to broking industry, and we have seen few larger players adopt it following our footsteps. I understand some broker will provide TOTP and some won’t, we will have to build capabilities and features that help us keep things robust and secure, plus accessible.
That is fine, its additional use only and your team decision how you view the risk
Both QR-based login and TOTP (Time-Based One-Time Password) have their advantages in terms of safety and speed:
-
QR-based login: It’s convenient because users can quickly scan a QR code to set up authentication. However, it may have some security concerns if the QR code is intercepted or if the device used for scanning is compromised.
-
TOTP: It’s also convenient and provides an additional layer of security as the one-time passwords are time-based and not dependent on a QR code. However, users need to manually enter the generated codes, which can be slightly slower than QR-based login.
TOTP (Time-Based One-Time Password) is considered safe for several reasons: -
Dynamic Passwords: TOTP generates one-time passwords that change over time, typically every 30 seconds. This dynamic nature makes it resistant to replay attacks, where intercepted passwords cannot be reused.
-
Cryptographic Hashing: TOTP uses cryptographic hashing algorithms, such as HMAC-SHA1 or HMAC-SHA256, to generate the one-time passwords. These algorithms ensure that the generated passwords are effectively random and virtually impossible to predict without the secret key.
-
Secret Key: TOTP relies on a shared secret key between the server and the user’s device. This key is securely stored on both ends and never transmitted over the network, reducing the risk of interception.
-
Time Dependency: The validity of each one-time password is time-dependent, meaning it is only valid for a short period (usually 30 seconds). This limits the window of opportunity for attackers to exploit intercepted passwords.
-
Two-Factor Authentication (2FA): TOTP is often used as part of a two-factor authentication (2FA) system, where users must provide both a static password (something they know) and a dynamic one-time password (something they have). This adds an extra layer of security, further reducing the likelihood of unauthorized access.
Overall, TOTP is widely adopted and considered a secure method for implementing two-factor authentication, providing a balance between security and usability for many applications.
In terms of safety, TOTP generally has a slight edge due to its independence from QR codes, but both methods can be secure if implemented properly. The choice between them often depends on factors such as user preference, ease of implementation, and specific security requirements of the system.