Hong Kong crypto platforms have until July 8, 2027, to ditch one-time passwords for client logins and device registration under new security rules.
By then, licensed virtual asset service providers and internet brokers must use authentication that can resist phishing for client logins and the registration or binding of devices, according to a July 9 circular.
The regulator said one-time passwords, or OTPs, do not meet that standard and should not be used for those two processes.
The rule applies only when clients log in or link a new device, leaving other OTP uses unchanged.
Firms do not have to make existing clients rebind devices that are already linked. Large internet brokers are expected to deploy the stronger methods immediately, while…






