
SFC gives brokers and crypto platforms 12 months to kill OTP logins, mandates passkeys and tied devices. Firms face liability for client losses from preventable hacks.
Hong Kong's Securities and Futures Commission has told internet brokers and licensed crypto platforms to kill the one-time password. The regulator wants them on phishing-resistant authentication such as passkeys within 12 months, and warned firms they will be on the hook for client losses from preventable hacks.
The SFC set out the requirement in a circular published 9 July, addressed to internet brokers and SFC-licensed virtual asset service providers. It gives firms until 8 July 2027 to implement the new authentication for account logins and device binding. Large internet brokers need to make the change immediately.
The language is direct about what most trading apps still use. “The SFC does not consider OTP to be a phishing-resistant authentication solution”, the regulator said in the circular. Firms “should not use it” for logins or for registering the devices tied to an account.
The directive follows a wave of account takeovers. In 2025, the SFC said in the circular, fraudsters ran large-scale SMS phishing campaigns that impersonated brokers and referred to purported requests from regulators. Attackers lured clients into entering credentials, including OTPs, on fake websites. The attackers are suspected to have used a man-in-the-middle attack to intercept the codes, reach the accounts and place unauthorised trades, the SFC said in the circular. Phishing made up 57% of the cybersecurity incidents reported to Hong Kong's computer emergency response centre in 2025.
In OTP's place, the SFC pointed to passkeys – password-less credentials based on public-key cryptography that, it said in the circular, are “recognised internationally as a phishing-resistant authentication method”. The regulator also cited bound devices linked to a client's account through verified device attributes. Firms generally should not let a client register more than three passkeys or three devices, the SFC said.
The circular puts senior managers directly on the hook for the overhaul. Responsibility rests with each firm's Manager-in-Charge of Overall Management and Oversight and its equivalent for information technology. Where a broker or platform fails to stop large-scale unauthorised transactions following a hack, the SFC wrote that it “will hold the relevant firm accountable for the losses suffered by its clients.”
Alongside the login change, the circular tells firms to alert clients to high-risk events such as new-device logins and passkey changes, to monitor accounts for abnormal trading, and to report hacking incidents to the SFC immediately. It builds on cybersecurity circulars the regulator issued in September 2020 and February 2025.
The order gives the industry a 12-month compliance window. Firms running older authentication stacks face a choice: rebuild login flows around passkey protocols before the 8 July 2027 deadline, or accept SFC scrutiny over client losses from the attacks OTPs made possible.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.