
Hong Kong gives crypto platforms one year to ditch one-time passwords or cover user losses
Hong Kong crypto platforms have until July 8, 2027, to ditch one-time passwords for client logins and device registration under new security rules. By then, licensed virtual asset service providers and internet brokers...
Bitcoin 1 Minute
Here is the latest from the digital-asset markets: Hong Kong crypto platforms have until July 8, 2027, to ditch one-time passwords for client logins and device registration under new security rules. By then, licensed virtual asset service providers and internet brokers must use authentication that can resist phishing for client logins and the registration or binding of devices, according to a July 9 circular. The regulator said one-time passwords, or OTPs, do not meet that standard and should not be used for those two processes.
The rule applies only when clients log in or link a new device, leaving other OTP uses unchanged. Firms do not have to make existing clients rebind devices that are already linked. Large internet brokers are expected to deploy the stronger methods immediately, while the broader group has a 12-month implementation period.
Market Dynamics
Related Reading Hong Kong approves 4 new crypto trading platform licenses in regulatory push The licensed platforms must meet rigorous standards and undergo evaluations to ensure compliance with global security practices. Dec 18, 2024 Oluwapelumi Adejumo Controls around those logins take effect from the outset. Firms must review and improve client notifications, account monitoring, surveillance and incident-response procedures now.
The SFC requires firms to suspend or restrict an account as soon as they spot signs of fraud. A deadline with liability attached The order follows phishing campaigns reported in 2025. Fraudsters sent text messages containing links that impersonated brokers and purported to be requests from regulators or government bodies.
Clients handed over login credentials and one-time passcodes on fake sites, giving attackers a path to hijack sessions and move funds. Related Reading FCC robocall rule could make phone accounts a richer target for crypto attackers The FCC’s robocall proposal could turn phone accounts into richer targets for SIM swaps, recovery abuse, and crypto theft. Jun 21, 2026 Gino Matos The SFC wants firms to monitor irregular logins, new-device activity, trading that deviates from a client’s history, and fund or virtual-asset withdrawals.
Market Impact
Clients should receive prompt notices of successful logins and higher-risk changes, including new devices and the creation or revocation of passkeys. Passkeys use public-key cryptography in place of a reusable secret that a client can type into a fake site. The credential is designed to work only with the legitimate service, while the private key remains on the user’s device or with a passkey manager.
The SFC also accepts device binding built around robust verification, with an additional factor such as a biometric check or an account password. The regulator tied those safeguards to firms’ duty to shield clients from theft and fraud. It said a firm can be held accountable for client losses when inadequate measures fail to prevent, detect and stop large-scale unauthorized transactions after a hacking incident.
Related Reading The trick big crypto exchanges are using to mitigate hacks, yet can still lock up your money Exchanges can reimburse hacked balances, but they can’t stop the instant shock to liquidity and market depth. Dec 1, 2025 Gino Matos Senior managers overseeing overall operations and information technology are ultimately responsible for the rollout. The real test comes by July 2027, when platforms must drop OTP at key login points while improving fraud detection enough to protect clients through the change.
This shift continues to shape the digital-asset landscape, with analysts examining its near-term effects.




