Hong Kong SFC Orders Crypto Platforms To Drop OTP Logins
Hong Kong’s Securities and Futures Commission ordered licensed crypto platforms and internet brokers to stop using one-time passwords for customer login and device binding, giving firms up to 12 months to move to phishing-resistant authentication.
The new requirement covers virtual asset trading platform operators and internet brokerage firms. The SFC’s July 9 notice mandates phishing-resistant authentication methods for client login and device binding, including passkeys and bound-device authentication.
The move targets OTP methods delivered through SMS, email or authenticator apps, which can still be captured or relayed through spoofed login pages. A fake platform can collect a password and code in real time, then use both before the victim notices the account takeover.
Hong Kong’s cyber incident data put spoofing at 57% of reported security incidents in 2025, making impersonation attacks the main pressure point behind the rule. Crypto platforms face the same risk as online brokers, but losses can move faster when attackers reach withdrawal functions or crypto transfer controls.
Crypto Platforms Face Account-Takeover Controls
The SFC circular requires firms to strengthen the whole account-protection stack, not only the login screen. Licensed platforms must monitor suspicious login, trading and withdrawal activity, notify clients of major account activity, respond quickly to hacking incidents and warn users about impersonation campaigns.
The official circular on client login and device binding also puts senior management directly on the hook. Executives remain responsible for controls that protect client accounts and assets, and firms can be held accountable for customer losses tied to internal-control failures.
That liability language gives the order more weight than a routine cybersecurity reminder. A platform that keeps relying on weak OTP flows after the transition period could face regulatory exposure if users lose funds through preventable account takeovers.
The Hong Kong action follows earlier local warnings around fake or unlicensed crypto venues. The SFC had already flagged suspicious virtual asset platforms accused of misusing licensing claims and routing users toward fraudulent activity.
Passkeys Move Into Crypto Compliance
The order lands as crypto losses keep shifting toward phishing, social engineering and off-chain compromise. Hacken’s Q1 2026 security review put phishing losses at $306 million, driven largely by a single hardware-wallet social-engineering incident.
Crypto attackers have also moved deeper into developer and infrastructure targets. TrapDoor malware recently used malicious npm, PyPI and Crates.io packages to steal wallet data, SSH keys, cloud credentials and browser profiles from crypto and AI developer environments.
Hong Kong has been widening its regulated digital-asset perimeter this year. The city finalized crypto advisor and fund manager licensing rules in May, extending supervision beyond trading venues into advisory and asset-management activity.
Licensed crypto platforms and internet brokers must implement phishing-resistant login and device-binding methods no later than 12 months from the circular’s issue date. Large internet brokers are expected to adopt the new controls immediately.




Post Comment
You must be logged in to post a comment.