Hong Kong SFC Orders Crypto Platforms to End OTP Logins 

fiverr


Set as Google Preferred SourceFollow on Google News

TLDR

  • SFC orders crypto platforms to replace OTP logins within 12 months.
  • Passkeys and hardware keys replace SMS and email authentication codes.
  • Large online brokers should begin adopting stronger login security immediately.
  • Firms must improve monitoring of login, trading, and withdrawal activities.
  • Senior management faces accountability for failures that expose client accounts.

Hong Kong’s SFC ordered crypto platforms and online brokers to replace OTP logins with stronger security tools. The move targets account takeovers, phishing scams, and stolen client credentials. It also gives firms a 12-month deadline to meet the new standard.

SFC Sets New Login Rules for Crypto Platforms

The SFC issued the circular to internet brokers and virtual asset trading platform operators on Thursday. It requires phishing-resistant authentication for client login and device binding. The rule covers stronger controls for account access and trusted device registration.

The SFC said firms must stop using one-time passwords for login and device binding. These OTPs include codes sent through SMS, email and app-based login flows. The regulator pointed to rising phishing risks and stronger tools now available.

Passkeys, hardware security keys and cryptographic device checks can meet the new standard. These methods reduce the risk of stolen passwords and intercepted login codes. Platforms must shift from code-based checks to stronger authentication models.

Platforms Face a 12-Month Compliance Deadline

The SFC told affected firms to implement the changes as soon as practicable. All covered firms must comply within 12 months from the circular date. Large internet brokers should adopt the measures immediately because of their market reach.

The regulator also wants firms to strengthen monitoring across account activity. Brokers and VATPs must detect suspicious login, trading and withdrawal patterns. They must also notify clients quickly when important account events occur.

The SFC said senior management remains responsible for client account protection. It will hold management accountable when control failures cause client losses. As a result, firms face pressure to improve prevention, response, and internal oversight.


Zuna


Hong Kong Raises Cybersecurity Standards

The move comes as phishing and social engineering attacks grow across digital asset markets. In early 2026, those incidents caused major losses across the global crypto sector. The trend pushed regulators to focus more on account access controls.

Hong Kong also recorded heavy fraud and counterfeiting activity in recent cybersecurity reports. These attacks formed a large share of reported security incidents in 2025. The SFC framed stronger authentication as part of wider market protection.

The regulator also urged clients to secure passwords, devices, and account access channels. Users should access accounts only through official websites and licensed platform applications. They should also report suspected compromise or unauthorised transactions without delay.

 



Source link

Bybit

Be the first to comment

Leave a Reply

Your email address will not be published.


*