Hong Kong crypto platforms have until July 8, 2027, to ditch one-time passwords for client logins and device registration under new security rules.
By then, licensed virtual asset service providers and internet brokers must use authentication that can resist phishing for client logins and the registration or binding of devices, according to a July 9 circular.
The regulator said one-time passwords, or OTPs, do not meet that standard and should not be used for those two processes.
The rule applies only when clients log in or link a new device, leaving other OTP uses unchanged.
Firms do not have to make existing clients rebind devices that are already linked. Large internet brokers are expected to deploy the stronger methods immediately, while the broader group has a 12-month implementation period.
Controls around those logins take effect from the outset. Firms must review and improve client notifications, account monitoring, surveillance and incident-response procedures now.
The SFC requires firms to suspend or restrict an account as soon as they spot signs of fraud.
A deadline with liability attached
The order follows phishing campaigns reported in 2025. Fraudsters sent text messages containing links that impersonated brokers and purported to be requests from regulators or government bodies.
Clients handed over login credentials and one-time passcodes on fake sites, giving attackers a path to hijack sessions and move funds.
The SFC wants firms to monitor irregular logins, new-device activity, trading that deviates from a client’s history, and fund or virtual-asset withdrawals.
Clients should receive prompt notices of successful logins and higher-risk changes, including new devices and the creation or revocation of passkeys.
Passkeys use public-key cryptography in place of a reusable secret that a client can type into a fake site.
The credential is designed to work only with the legitimate service, while the private key remains on the user’s device or with a passkey manager.
The SFC also accepts device binding built around robust verification, with an additional factor such as a biometric check or an account password.
The regulator tied those safeguards to firms’ duty to shield clients from theft and fraud.
It said a firm can be held accountable for client losses when inadequate measures fail to prevent, detect and stop large-scale unauthorized transactions after a hacking incident.
Senior managers overseeing overall operations and information technology are ultimately responsible for the rollout.
The real test comes by July 2027, when platforms must drop OTP at key login points while improving fraud detection enough to protect clients through the change.
The post Hong Kong gives crypto platforms one year to ditch one-time passwords or cover user losses appeared first on CryptoSlate.









