Go Back

Hong Kong Declares OTP Security Obsolete for Crypto

Hong Kong Declares OTP Security Obsolete for Crypto

Murugaverl Mahasenan

Murugaverl Mahasenan

Make Catenaa preferred on (opens in a new tab)

Catenaa, Wednesday, July 15, 2026- Hong Kong’s Securities and Futures Commission (SFC) has ordered licensed virtual asset trading platforms and online brokerage firms to eliminate one-time password (OTP) authentication for customer logins and device registration, becoming one of the first major financial regulators to formally move away from a security method long regarded as an industry standard.

The directive forms part of a broader cybersecurity initiative aimed at reducing account takeovers, phishing attacks and identity spoofing targeting digital financial services.

Under a circular issued Thursday, regulated firms must replace OTP-based authentication with stronger technologies such as passkeys and secure device binding, while deploying systems capable of detecting suspicious login attempts, unusual trading activity and unauthorized withdrawals.

The regulator has given firms 12 months to complete the transition, although larger online brokerages are expected to begin implementing the stronger authentication methods immediately.

The decision reflects a growing recognition among regulators that one-time passwords, particularly those delivered through SMS, no longer provide sufficient protection against increasingly sophisticated phishing and impersonation attacks.

Unlike traditional OTP codes that users manually enter, passkeys use cryptographic authentication tied to trusted devices, making them resistant to credential theft and phishing websites.

Device binding further strengthens security by limiting account access to previously authorized hardware.

Rather than adding another layer of authentication, the SFC is requiring firms to adopt authentication methods designed to prevent credential compromise altogether.

The SFC cited figures from the Hong Kong Cyber Security Incident Coordination Centre showing that spoofing attacks accounted for 57% of reported cybersecurity incidents during 2025.

The regulator warned that phishing campaigns continue evolving rapidly, allowing attackers to intercept passwords and one-time codes while impersonating legitimate financial institutions.

To strengthen defenses, firms must introduce continuous monitoring systems capable of identifying suspicious login behavior, abnormal trading patterns and unusual withdrawal requests.

Licensed institutions must also notify customers promptly when significant account activity occurs and respond rapidly to suspected hacking incidents.

Regular customer education campaigns warning against emerging scams will become part of the regulator’s cybersecurity expectations.

The SFC also placed responsibility squarely on senior management.

The regulator said executives at licensed brokerage firms and virtual asset trading platforms remain ultimately responsible for protecting customer accounts and digital assets.

Where customer losses result from inadequate internal controls or weak cybersecurity practices, firms may face regulatory consequences.

The directive signals a shift from viewing cybersecurity as a technical function to treating it as a governance responsibility.

The policy could influence security standards beyond Hong Kong as regulators worldwide examine the resilience of digital asset infrastructure.

Many cryptocurrency exchanges and financial platforms still rely heavily on SMS-based authentication despite growing evidence that phishing kits, SIM-swapping attacks and social engineering techniques can bypass traditional one-time password systems.

By explicitly directing firms to abandon OTP logins, Hong Kong is positioning phishing-resistant authentication as an emerging regulatory expectation rather than an optional security enhancement.

The Hong Kong Securities and Futures Commission has sought to establish the city as a regulated hub for digital assets while maintaining strict standards for investor protection and operational resilience. Licensed virtual asset trading platforms operate under one of Asia’s most comprehensive crypto regulatory frameworks. The latest cybersecurity directive reflects a broader global trend toward stronger authentication technologies such as passkeys, which are increasingly being adopted by technology companies, financial institutions and government agencies to replace passwords and one-time codes vulnerable to phishing attacks.