Why Online Trading Platforms Need Special Attention for Multi-Factor Authentication (MFA)?

By: Himanshu Soni, Jay, and Team @ Silence Laboratories

Securities and Exchange Board of India (SEBI) made it mandatory to enforce two-factor authentication (2FA) for all online trading platforms as an enhanced security mechanism in 2012. [1]

2FA is a security procedure in which the user verifies his or her identity by supplying two factors: a user name and password and a piece of personal information chosen by the user. On two levels, 2FA aids in the prevention of online fraud. It guarantees that the user is logged in to the correct trading website and adds another layer of authentication to the user’s identity to prevent fraud. This procedure can be used with both new and existing online trading accounts. At the time of initial use, the user must register for 2FA details. It’s impossible for the two identifying criteria to be the same. If false information is entered during login, the account may be locked. It can be unblocked by contacting the broker’s customer care department.

The world has moved far from 2012 in terms of digitalization, hacking capabilities, and cyber-attacks, so one key question arises: Is it sufficient to protect the user’s privacy in today’s world?

Phishing attacks have seen a 660% rise in 2021, and total loss due to cybercrimes is expected to hit around $6 trillion in 2021. [2,3]

The answer depends on the no. of cyberattacks and the severity of attacks in online trading industries after 2012. Online trading industries have seen a series of cyberattacks despite using 2FA. Some of the recent cases are listed below:

  1. Upstox Data Breach (April-2021): Indian trading platform Upstox has openly acknowledged a breach of know-your-customer (KYC) data and took a measure to reset the passwords of all users immediately. [4]

2. Anonymous Online Trading Platform (June-2021): According to cybersecurity and big data startup Technisanct, sensitive information of more than 3.4 million customers was leaked in a serious data breach on India’s leading online trading platform. [5]

Methods being used by trading platforms and issues:

The biggest loophole in this mandate was that SEBI left it to the broker to devise the second identifying factor.[1] While some brokers have initiated the use of PAN, date of birth, personal questionnaires, and OTP. Most platforms adopted SMS-based OTPs as an additional authentication mode for 2FA. SMS-based OTPs were proven methods in 2012, but research has shown many vulnerabilities and usability concerns in this method.

A. Issues with SMS-Based 2FA: SMS-based OTP codes were proved outdated by NIST [6] in 2016, but SMS-based code is the most prevalent mode of authentication in the Indian online trading industry. There are many established records of the vulnerabilities of SMS OTP-based 2FAs in cybersecurity research. SMS-based 2FAs are vulnerable to SS7 attacks, SIM Swapping, and Malwares and Trojans, which could trick users into providing permissions for reading messages and bypassing 2FAs. SMS code-based 2FA is also not user-friendly since it requires reading, memorizing code, and then typing, which is time-consuming and inconvenient. [7]

Zerodha has recently identified the vulnerabilities of SMS-based authentication and started using TOTP-based authentication with Google Authenticator. So, is it the best method for online trading platforms for authentication for the next 5–6 years?

B. Issues with TOTP-based 2FA: TOTP is nothing but the offline code generation with a local app (the widely adopted app is Google Authenticator). Although TOTP-based 2FA is a better alternative than SMS-based 2FA, it still comprises several vulnerabilities in terms of security and usability. Several banking trojans and malware have challenged TOTP-based 2FA, which obstructs the popularity of this method in the long term. There are newly identified android trojans that are targeting the financial industry. [8,9]

TOTP-based authenticators have been challenged by Android Accessibility Service Mode (AAS). AAS gets permission from the user and performs critical internal interactions. As a result, an application can read or generate SMS messages, read emails, and even read Two-Factor Authentication (2FA) codes generated by authenticator apps and record credentials entered by users on mobile banking apps.

TOTP codes can be read by malware applications with AAS permissions[10]

The unavailability of data security authority in India is a major reason behind the massive increase in the number of cyber security cases. Even while breaches are identified, the non-existence of a regulatory body paves the way to repeated breaches.

We published a detailed usability and security trade-off analysis in our previous article here

We know there is a problem but what is the solution to immunize online trading platforms against cyber-attacks?

In nutshell, we need to complement current MFA/2FA architectures with modules that:

1. Puts in more checks and proofs during the instant of the second-factor authentication.

2. These checks and proofs should not introduce extra friction for the end user.

Essentially it means a much higher balance between usability and security.

Silence Laboratories has designed a patented and niche authenticator framework: Silent Auth which brings an unseen balance between user experience and security.

Silent Auth brings in a) proof of liveliness, b) proof of possession, c) proof of co-location, and d) provides a multi-modal multi-factor auth framework to beat the aforementioned vulnerabilities.

Please contact us for a demo and further details: info@silencelaboratories.com


[1] Smart things to know: Authentication for online stock trading. (2012, April 23). The Economic Times. https://economictimes.indiatimes.com/smart-things-to-know-authentication-for-online-stock-trading/articleshow/12795494.cms?from=mdr

[2] Global Year in Breach 2021. (2021, August 9). ID Agent. https://www.idagent.com/resources/the-global-year-in-breach-2021/

[3] Freeze, D. (2020, November 9). Cybercrime Damages $6 Trillion by 2021. Cybercrime Magazine. https://cybersecurityventures.com/annual-cybercrime-report-2017/#:%7E:text=Cybersecurity%20Ventures%20predicts%20cybercrime%20damages,in%20size%2C%20sophistication%20and%20cost

[4] T. (2021, April 12). Hackers hit India’s №2 broker Upstox, company says ramped up security. The Times of India. https://timesofindia.indiatimes.com/business/india-business/upstox-face-data-breach-co-says-ramped-up-security/articleshow/82021166.cms

[5] Desk, W. (2021, June 25). Cybersecurity firm Technisanct identifies data breach

in leading online trading platform. The Week. https://www.theweek.in/news/biz-tech/2021/06/25/technisanct-identifies-data-breach-online-trading-platform.html

[6] NIST Special Publication 800–63B. (n.d.). NIST. https://pages.nist.gov/800-63-3/sp800-63b.html

[7] Laboratories, S. (2021, September 30). How 2FAs are faring in the 2020s? — Silence Laboratories. Medium. https://medium.com/@Silence_Laboratories/how-2fas-are-fairing-in-the-2020s-a831834ab7ab

[8] SharkBot: a new generation of Android Trojans is targeting banks in Europe | Cleafy Labs. (n.d.). Cleafy Labs. https://www.cleafy.com/cleafy-labs/sharkbot-a-new-generation-of-android-trojan-is-targeting-banks-in-europe

[9] PixStealer: a new wave of Android banking Trojans abusing Accessibility Services. (2021, October 13). Check Point Research. https://research.checkpoint.com/2021/pixstealer-a-new-wave-of-android-banking-trojans-abusing-accessibility-services/

[10] GAuth. (n.d.). GAuth. https://gauth.apps.gbraad.nl/



We are redefining authentication by providing a quantum leap in seamlessness and security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Silence Laboratories

The only Cybersecurity library you need for seamless and decentralized authentication