Loading prices…
🩸BEARISH

Hong Kong SFC Orders Crypto Platforms to Phase Out OTP Logins

The 12-month deadline lands as spoofing attacks climb at Hong Kong-licensed platforms; the move redefines the authentication baseline every retail-facing venue must meet.

Hong Kong's Securities and Futures Commission ordered licensed crypto platforms and online brokers to phase out one-time passwords for customer login within 12 months, citing a rise in spoofing attacks.

Why it matters

The directive signals a regulatory shift toward stronger authentication standards across Hong Kong's retail-facing financial sector. Firms must adopt more secure methods, including access keys and device binding, while tightening monitoring of suspicious login, trading, and withdrawal activity. OTP-based authentication has long been a known vulnerability vector, with attackers using phishing kits and SIM-swap tactics to intercept one-time codes sent via SMS or authenticator apps.

Market impact

The 12-month timeline forces platforms to overhaul their onboarding and login infrastructure, a non-trivial engineering lift that may accelerate consolidation among smaller operators unable to absorb the compliance costs. For users, the transition means device-bound credentials and access keys replace a familiar, friction-light flow with one that is harder to phish but slightly heavier to set up. Watch for the next round of SFC guidance on what counts as a compliant access key, since implementation standards remain undefined in the current directive.

Frequently asked questions

  1. What did Hong Kong's SFC order regarding OTP logins?

    The SFC ordered licensed crypto platforms and online brokers to phase out one-time password authentication for customer login within 12 months, citing a rise in spoofing attacks targeting OTP-based systems.

  2. What authentication methods must firms adopt instead?

    Firms must adopt stronger authentication methods, including access keys and device binding, and enhance monitoring of suspicious login, trading, and withdrawal activity.

  3. Why are OTPs considered vulnerable?

    OTP codes sent via SMS or authenticator apps can be intercepted through phishing kits and SIM-swap attacks, allowing attackers to bypass login protections without needing the user's actual password.

  4. How does this affect crypto users in Hong Kong?

    Users will move from familiar low-friction OTP flows to device-bound credentials and access keys, which are harder to phish but may require a more involved initial setup process.

  5. What is the compliance deadline for platforms?

    Licensed crypto platforms and online brokers must phase out OTP logins within 12 months of the SFC's directive, meaning affected venues must implement compliant authentication by mid-2027.

Source attribution
Aggregated from TheBlock · Verified · Last refreshed 41m ago
Open original →