Hong Kong’s securities regulator has banned one-time password logins for crypto trading platforms. The rule targets phishing scams behind a surge in the region’s cybersecurity incidents.
The Securities and Futures Commission issued a circular. It orders internet brokers and crypto trading platforms to drop SMS, email, and app-based OTPs.
Platforms must switch client logins and device binding to passkeys and other phishing-resistant methods. Operators have 12 months to comply, though large brokers must switch immediately. The SFC flagged OTP risks back in February 2025 guidance. This circular now makes that shift mandatory.






