
The SFC's directive targets phishing attacks that inflicted substantial financial damage on crypto exchanges. It requires passkeys or hardware tokens and puts executive accountability on the line for security failures.
Hong Kong's Securities and Futures Commission has ordered digital-asset exchanges and online brokers to scrap one-time password authentication. The directive, published Thursday, gives firms 12 months to adopt phishing-resistant login methods. Passkeys and hardware tokens qualify. So does cryptographic device verification. SMS codes and email codes are out. App-generated one-time passwords are also prohibited. The SFC also requires cryptographic device verification for trusted hardware, meaning each login must be approved by a registered device.
The ban covers user access and device registration. The SFC said platforms must also build monitoring systems that flag anomalous login behavior and unusual trading activity. Suspicious withdrawal requests trigger alerts as well. The circular requires platforms to notify account holders immediately when something changes on their profiles.
Executive leadership carries direct responsibility for security failures. The SFC said management teams will face direct accountability when weak controls lead to customer losses. That puts board-level pressure on compliance timelines, especially for larger firms with millions of users.
The move follows a wave of phishing and social-engineering attacks that inflicted substantial financial damage across the crypto ecosystem in early 2026. The SFC said the directive addresses escalating threats from credential theft and account hijacking. Sophisticated phishing operations also drove the decision. Hong Kong's own cybersecurity assessments showed fraud and counterfeiting accounted for a large share of documented breaches in 2025.
The SFC framed the authentication upgrade as part of a broader set of market safeguards. The regulator also encouraged users to maintain strong security practices. It said customers should access accounts only through verified official websites and authorized platform applications. Users should report any suspected unauthorized access or questionable transaction activity immediately.
For traders using Hong Kong platforms, the shift eliminates the most common vector for account compromise: intercepted SMS codes. Phishing kits that clone login pages and forward OTPs in real time become ineffective against passkey-based authentication, which ties the approval to the specific device and domain.
The one-year transition period gives platforms time to implement the changes. The SFC said larger brokers and exchanges should proceed with immediate adoption given their substantial user bases. The safest approach is to already use a hardware wallet or passkey where supported. Not all platforms offer that yet.
Prepared with AlphaScala editorial tooling from the source reporting linked above. Indexable analysis may include a cited Alpha Score value. Publishing checks screen each story before release. Educational coverage, not personalized advice.