Hong Kong's Regulator Mandates Phishing-Resistant Login Security for Crypto Platforms

The tl;dr
Hong Kong's Securities and Futures Commission has ordered crypto platforms and online brokers to replace one-time password (OTP) logins with more secure passkey technology within 12 months. The directive comes after spoofing incidents surged, prompting regulators to tighten security standards to protect consumers from phishing attacks.
Markets in this story
30-day · delayedKey points
- The SFC, Hong Kong's financial watchdog, issued a binding order requiring crypto platforms and online brokers to eliminate OTP-based authentication systems and adopt passkey technology instead.
- Passkeys use cryptographic technology to authenticate users without transmitting codes that can be intercepted or stolen through phishing schemes, making them significantly harder to compromise than OTPs.
- The 12-month compliance deadline gives platforms time to implement new infrastructure while addressing a documented security vulnerability; spoofing attacks on these platforms have increased by 57%.
- This regulation applies to both traditional online brokers and crypto-specific exchanges operating under SFC oversight in Hong Kong.
- The move reflects growing regulatory focus on consumer protection in digital finance, as phishing and credential theft remain common attack vectors for stealing digital assets.
By the numbers
Hong Kong’s Securities and Futures Commission has issued a formal directive requiring all licensed crypto platforms and online brokers to replace one-time password (OTP) logins with passkey-based authentication within 12 months. OTPs, which send temporary codes to users’ phones or email, have proven vulnerable to phishing attacks where criminals trick users into revealing the codes or intercept them during transmission. Passkeys, by contrast, use cryptographic technology embedded in devices to verify users without requiring codes that travel across networks.
The regulatory order follows a documented surge in spoofing and phishing incidents targeting platforms in Hong Kong. By moving to passkey authentication, regulators aim to close a major security gap that has enabled account takeovers and theft of client assets. This represents a shift toward more robust security standards aligned with international best practices, though it requires platforms to overhaul their technical infrastructure.
The 12-month timeline gives platforms a clear compliance window to implement the new systems. For users, the transition means moving away from the familiar but vulnerable practice of entering codes sent via text or app, toward a system where their device itself authenticates them. The regulation underscores Hong Kong’s effort to establish stricter security baselines in crypto finance as it seeks to position itself as a regulated hub for digital asset trading.
As crypto platforms become mainstream financial gateways, regulatory mandates for stronger security directly affect user safety and the industry's credibility during ongoing concerns about account takeovers and fund theft.
Read the full story
We summarised these sources. Click through to read them in full.
Topics
- hong kong sfc
- passkey authentication
- phishing security
- crypto regulation
- otp vulnerability
This summary is AI-generated from the sources above and may contain errors, so always verify with the original reporting. It's general information only, not financial, investment, or trading advice, and not a recommendation to buy or sell anything. Markets carry risk; do your own research. See our full disclaimer.


