Hong Kong's Securities and Futures Commission ordered internet brokers and licensed virtual asset trading platforms to replace one-time passwords with phishing-resistant authentication methods in requirements published on July 9. Firms must implement stronger login and device binding controls within 12 months, with larger brokers expected to begin adoption immediately. The directive addresses phishing attacks that accounted for 57% of all cybersecurity incidents reported to the Hong Kong Computer Emergency Response Team Coordination Centre during 2025. The SFC said traditional one-time passwords are no longer sufficient against increasingly sophisticated phishing campaigns targeting online trading accounts. The move reinforces Hong Kong's approach of holding digital asset firms to regulatory standards similar to those imposed on traditional financial institutions.
The SFC said internet brokers and virtual asset trading platform operators should stop using one-time passwords for both client login and device binding because more secure authentication technologies are now widely available. The regulator pointed to passkeys and device binding as examples of phishing-resistant authentication methods capable of preventing attackers from gaining access even when clients are tricked into revealing their credentials.
Device binding links a customer's trading account to a securely registered computer or mobile device using unique device characteristics, making it significantly harder for criminals to log in from unauthorised hardware. The SFC first warned firms about weaknesses associated with OTP-based authentication in February 2025 following a cybersecurity review. The latest circular turns that guidance into a regulatory requirement.
The new requirements apply equally to licensed securities brokers and virtual asset trading platform operators. Beyond stronger authentication, firms must introduce effective monitoring systems capable of detecting suspicious login attempts, unusual trading activity and abnormal withdrawal requests. They are also expected to notify clients promptly of significant account events, respond rapidly to hacking incidents and regularly warn customers about emerging phishing campaigns and other cyber threats.
The SFC said senior management will remain ultimately responsible for protecting client assets and warned that firms could be held accountable for losses resulting from inadequate cybersecurity controls. Dr Eric Yip, the SFC's Executive Director of Intermediaries, said: "Protecting client accounts from increasingly sophisticated and elusive phishing attacks requires holistic measures combining prevention, detection, response and education. Licensed firms should strengthen their first line of defence with robust authentication solutions, stay alert to suspicious activities, and respond swiftly before harm is done."
Unlike traditional credentials, passkeys rely on cryptographic authentication tied to a user's device and cannot easily be intercepted or reused through phishing websites. Technology companies including Apple, Google and Microsoft have already incorporated passkey support into their operating systems, while banks and fintech firms have begun deploying the technology for customer authentication. For brokers and crypto exchanges, stronger authentication has become increasingly important as cybercriminals target trading accounts that can provide immediate access to cash, securities and digital assets.
Alongside technical controls, the SFC urged investors to continue following basic cybersecurity practices, including using strong and unique passwords, keeping devices updated, accessing accounts only through official websites and applications, and reviewing account statements for unauthorised activity. The regulator advised investors who suspect their credentials have been compromised to contact their broker or virtual asset platform immediately, secure their accounts and report the incident to the relevant authorities.
What authentication methods did Hong Kong SFC order brokers and crypto platforms to replace?
The SFC ordered internet brokers and licensed virtual asset trading platforms to replace one-time passwords with phishing-resistant authentication methods such as passkeys and device binding in requirements published on July 9.
Why did the SFC require stronger authentication for trading accounts?
The SFC cited phishing attacks accounting for 57% of all cybersecurity incidents reported to the Hong Kong Computer Emergency Response Team Coordination Centre during 2025, stating that traditional one-time passwords are no longer sufficient against increasingly sophisticated phishing campaigns targeting online trading accounts.
What is the implementation deadline for the new authentication requirements?
Firms must implement stronger login and device binding controls within 12 months of the July 9 publication date, while larger brokers are expected to begin adopting the measures immediately.
Related News
FSC Orders Securities Firms to Submit Investor Protection Plans by July 13
Hong Kong SFC Orders 12-Month OTP Phase-Out for Crypto and Brokerage Firms
Hyperliquid Policy Center and Phantom Urge CFTC to Update Onchain Trading Rules
Hong Kong SFC Bans OTPs for Crypto Platforms Amid Phishing Surge