A black USB device with a gold button, positioned
Crypto

Hong Kong SFC bans OTP logins for crypto platforms and brokers with 12-month deadline

The regulator is pushing passkeys, device-bound cryptographic checks, and hardware keys as phishing-resistant alternatives.

By AI News Crypto Editorial Team4 min read

Hong Kong’s Securities and Futures Commission has ordered virtual asset trading platforms and online brokers to adopt phishing-resistant authentication and device binding within 12 months. The new standard explicitly bans one-time passwords delivered via SMS, email, or app-based login flows, forcing venues to rework common access patterns for retail traders.

Key Takeaways

  • Hong Kong’s SFC set a 12-month implementation clock for new phishing-resistant login requirements covering virtual asset trading platforms and online brokers.
  • One-time passwords delivered via SMS, email, or app-based login flows are prohibited under the new standard.
  • Passkeys, cryptographically verified registered devices, and hardware security keys were listed as acceptable phishing-resistant paths.
  • Phishing and social engineering accounted for $306 million of $482 million in total crypto industry losses in Q1 2026.

SFC Starts a 12-Month Countdown for Phishing-Resistant Logins

Hong Kong’s Securities and Futures Commission (SFC) issued new requirements on Thursday, July 9, 2026, directing virtual asset trading platforms (VATPs) and online brokers in the city to adopt phishing-resistant authentication and device-binding controls within the next 12 months.

For market participants, the headline is less about a new feature and more about a mandated baseline for account access. The SFC is treating login security as a core control surface for regulated venues, not a user preference. The packet excerpt does not include the full SFC document, leaving open questions on which specific platforms are covered and how enforcement will be applied.

OTP via SMS/Email/App Is Out: What the New Standard Requires

The standard prohibits one-time passwords (OTPs) delivered via SMS, email, or app-based logins. That is a direct hit to the most common two-factor authentication patterns used across retail trading apps, and it effectively forces a migration away from code-based verification that can be intercepted or socially engineered.

The SFC’s requirement pairs “phishing-resistant authentication” with “device binding.” In practice, that means access is expected to be tied to a specific registered device using cryptographic checks, rather than relying on a code that can be typed into a fake site or handed over to an attacker.

The operational implication is straightforward. Over the 12-month window, traders should expect staged changes like new device enrollment prompts, modified account recovery steps, and tighter friction around first-time logins and device changes as venues unwind OTP-based flows.

Passkeys, Device Cryptographic Verification, and Hardware Keys: The Approved Paths

The SFC cited passkeys, registered devices with cryptographic verification, and hardware security keys as phishing-resistant alternatives.

Passkeys typically shift authentication to cryptographic keys stored on a device and unlocked by biometrics or a device PIN, reducing the value of stolen passwords and eliminating the “type the code” moment that phishing kits exploit. Registered-device cryptographic verification points to a model where the venue verifies the device itself, not just the user’s knowledge of a password. Hardware security keys extend that concept with a physical factor that proves possession.

Taken together, the menu signals a preference for authentication methods that are materially harder to phish than OTPs, even when attackers can convincingly impersonate a venue’s login page.

The Trading Impact Is Operational—Watch Rollouts, Lockouts, and Venue Friction

The SFC framed the move against a measurable threat backdrop. Phishing attacks and social engineering scams accounted for $306 million of the crypto industry’s $482 million in total losses in Q1 2026. The packet also cites phishing scam-related losses totaling $366 million in the first half of 2026.

Locally, counterfeiting and fraud attacks represented 57% of security incidents reported to the Hong Kong Cyber Security Accident Coordination Center in 2025. Dr. Ye Zhiheng said, “To protect customer accounts from increasingly complex and changing counterfeiting and fraud attacks, comprehensive measures must be implemented in conjunction with prevention, detection, response and education,” positioning the login change as one layer in a broader control stack.

For traders, the near-term risk is not price discovery. It is access. Platform-by-platform rollouts can create lockouts, delayed recoveries, and friction when moving between venues, especially if hardware-key support or device enrollment is uneven.

How I'm Reading Hong Kong SFC mandates phishing-resistant logins

I read this as a market-structure change in the plumbing, not a narrative catalyst. By banning OTPs via SMS, email, or app-based login flows, the SFC is forcing Hong Kong venues to treat device-bound, phishing-resistant authentication as table stakes, and that tends to surface first as operational churn rather than immediate trading impact.

The threshold that matters is whether venues can migrate users without creating persistent access friction. If passkey support, device-binding enrollment, and account recovery flows roll out cleanly across platforms inside the 12-month window, the setup starts to look structural rather than narrative-driven, and the practical payoff is fewer account-takeover events without degrading execution continuity.

Sources