
Hong Kong's securities regulator ordered crypto platforms to replace SMS and email OTPs with passkeys or hardware keys within 12 months, covering licensed venues.
Hong Kong's Securities and Futures Commission ordered virtual asset trading platforms and online brokers to adopt phishing-resistant authentication within 12 months. The regulator banned one-time passwords sent by SMS and email. In-app code delivery is also covered under the directive.
The SFC cited passkeys and hardware security keys as acceptable replacements. Device-bound cryptographic credentials are another option. The order targets account takeovers that rely on intercepting SMS codes, a common vector in crypto theft.
SMS-based OTPs are vulnerable to SIM-swap attacks and phishing, which have drained user funds across platforms globally. The SFC's move follows a broader tightening of oversight for Hong Kong's virtual asset sector. The 12-month compliance period starts from the date of the circular, issued this week.
For traders using Hong Kong-licensed exchanges, the change means login procedures will shift from entering a six-digit code to using a biometric or physical key. Platforms will need to distribute hardware tokens or integrate passkey standards before the deadline. Users should expect to register a device or obtain a security key ahead of the cutoff.
The order takes effect 12 months from the date of the circular.
Prepared with AlphaScala editorial tooling from the source reporting linked above. Indexable analysis may include a cited Alpha Score value. Publishing checks screen each story before release. Educational coverage, not personalized advice.