SEBI 2FA Rules for Trading Apps in India
SEBI 2FA rules summarised for stock-broking and trading-app developers: every-login enforcement, biometric alternatives, audit retention, and pitfalls to avoid.
StartMessaging Team
Engineering
SEBI’s 2FA framework for stockbrokers is one of the strictest in financial services. Every login requires fresh second factor. Most brokers default to SMS OTP; modern brokers layer biometric on registered devices.
Overview
- Every-login 2FA.
- Order-placement step-up at broker discretion.
- Mandatory cool-down on failed attempts.
- Audit log of authentication events.
Every-Login Mandate
Trusted-device suppression is not allowed. Persistent sessions are capped per SEBI guidance.
Biometric as Second Factor
Platform-grade biometric on a registered mobile is permitted. The device registration ties biometric proof to the user identity.
Order-Placement Step-Up
- High-value orders trigger fresh OTP.
- F&O margin calls — step-up.
- Pledge / unpledge — fresh OTP.
Audit Retention
Minimum 8 years per stockbroker bookkeeping rules. Retain (requestId, action, status, IP, deviceId, timestamp).
FAQ
StartMessaging ships sub-second-latency SMS OTPs that meet SEBI’s every-login bar for production trading apps.
Related Articles
How stock-broking apps in India implement SEBI-mandated 2FA OTP, KYC OTP, order-placement step-up, and post-trade confirmation SMS — with audit-trail patterns.
Plain-English summary of RBI's April 2026 mandatory 2FA rules for digital payments, what counts as a valid second factor, and how OTP fits in.
RBI Additional Factor of Authentication guidelines summarised for OTP developers: scope, exemptions, alternative-factor allowances, and what changed in 2026.
Ready to Send OTPs?
Integrate StartMessaging in 5 minutes. No DLT registration required.