Hong Kong gives crypto platforms one year to ditch one-time passwords or cover user losses

Jul 10, 2026 - 19:45
Hong Kong gives crypto platforms one year to ditch one-time passwords or cover user losses

Hong Kong crypto platforms have until July 8, 2027, to ditch one-time passwords for client logins and device registration under new security rules.

By then, licensed virtual asset service providers and internet brokers must use authentication that can resist phishing for client logins and the registration or binding of devices, according to a July 9 circular.

The regulator said one-time passwords, or OTPs, do not meet that standard and should not be used for those two processes.

The rule applies only when clients log in or link a new device, leaving other OTP uses unchanged.

Firms do not have to make existing clients rebind devices that are already linked. Large internet brokers are expected to deploy the stronger methods immediately, while the broader group has a 12-month implementation period.

Hong Kong approves 4 new crypto trading platform licenses in regulatory push
Related Reading

Hong Kong approves 4 new crypto trading platform licenses in regulatory push

The licensed platforms must meet rigorous standards and undergo evaluations to ensure compliance with global security practices.
Dec 18, 2024 · Oluwapelumi Adejumo

Controls around those logins take effect from the outset. Firms must review and improve client notifications, account monitoring, surveillance and incident-response procedures now.

The SFC requires firms to suspend or restrict an account as soon as they spot signs of fraud.

A deadline with liability attached

Timeline showing Hong Kong SFC requirements from July 9, 2026 to July 8, 2027, including immediate monitoring duties, passkeys, bound devices and senior management accountability.

The order follows phishing campaigns reported in 2025. Fraudsters sent text messages containing links that impersonated brokers and purported to be requests from regulators or government bodies.

Clients handed over login credentials and one-time passcodes on fake sites, giving attackers a path to hijack sessions and move funds.

FCC robocall rule could make phone accounts a richer target for crypto attackers
Related Reading

FCC robocall rule could make phone accounts a richer target for crypto attackers

The FCC’s robocall proposal could turn phone accounts into richer targets for SIM swaps, recovery abuse, and crypto theft.
Jun 21, 2026 · Gino Matos

The SFC wants firms to monitor irregular logins, new-device activity, trading that deviates from a client’s history, and fund or virtual-asset withdrawals.

Clients should receive prompt notices of successful logins and higher-risk changes, including new devices and the creation or revocation of passkeys.

Passkeys use public-key cryptography in place of a reusable secret that a client can type into a fake site.

The credential is designed to work only with the legitimate service, while the private key remains on the user’s device or with a passkey manager.

The SFC also accepts device binding built around robust verification, with an additional factor such as a biometric check or an account password.

The regulator tied those safeguards to firms’ duty to shield clients from theft and fraud.

It said a firm can be held accountable for client losses when inadequate measures fail to prevent, detect and stop large-scale unauthorized transactions after a hacking incident.

The trick big crypto exchanges are using to mitigate hacks, yet can still lock up your money
Related Reading

The trick big crypto exchanges are using to mitigate hacks, yet can still lock up your money

Exchanges can reimburse hacked balances, but they can’t stop the instant shock to liquidity and market depth.
Dec 1, 2025 · Gino Matos

Senior managers overseeing overall operations and information technology are ultimately responsible for the rollout.

The real test comes by July 2027, when platforms must drop OTP at key login points while improving fraud detection enough to protect clients through the change.

The post Hong Kong gives crypto platforms one year to ditch one-time passwords or cover user losses appeared first on CryptoSlate.