
Hong Kong Securities and Futures Commission Orders Virtual Asset Exchanges to Phase Out OTPs... Anti-Phishing Authentication Must Be Implemented by July 2027
The Hong Kong Securities and Futures Commission (SFC) has ordered virtual asset exchanges and online brokers to stop using one-time passwords (OTPs) and implement anti-phishing authentication systems by July 2027. Platforms that fail to implement the security upgrades must fully compensate users for any losses.
The Hong Kong Securities and Futures Commission (SFC) has announced robust regulatory measures to protect the digital asset ecosystem from evolving cyber threats. The SFC has set a deadline of July 8, 2027, for all Virtual Asset Trading Platforms (VATPs) and online brokers to phase out existing One-Time Password (OTP) methods and adopt phishing-resistant authentication.
The guidelines, released via Circular 26EC35, mandate a transition to encryption standards such as FIDO2 and hardware keys to protect investors from account takeovers and AI-driven phishing attacks. This represents a fundamental overhaul of security infrastructure to establish Hong Kong as a secure global digital asset hub and reflects the regulator's intent to hold platforms more strictly accountable for security incidents.
The SFC is requiring VATPs and online brokers to cease the use of OTPs during customer login and device binding processes. Although the final compliance deadline is set for July 8, 2027, providing a grace period of approximately one year, obligations for security monitoring and incident response will take effect starting July 10, 2026.
The SFC requires online brokers and VATPs to stop using OTPs to counter phishing attacks and customer account takeover incidents. This decision considers the risks of existing methods and the availability of stronger authentication alternatives.
The regulator has determined that traditional OTP methods are no longer sufficient to defend against sophisticated attacks. Authentication codes via SMS or email are easily intercepted through SIM swapping or elaborately designed phishing sites, and they are also vulnerable to MFA fatigue attacks that exploit user negligence, leading to persistent security loopholes.
Transition of Security Standards and Technical Necessity
Phishing-resistant MFA uses asymmetric key encryption processes to make it structurally impossible for attackers to intercept or reuse credentials through fake login pages. FIDO2 and Passkeys standards combine device binding and domain verification to fundamentally prevent users from providing authentication information to unintended sites, offering superior security compared to traditional shared secret methods.
- Immediate implementation of security monitoring and incident response obligations starting July 10, 2026
- Commencement of technical reviews for the adoption of FIDO2 standards and hardware security keys
- Strengthening user education and guidance on the use of Passkeys
- Complete replacement of all OTP-based authentication systems by July 8, 2027
The SFC has presented a unique strategy that forces platforms to choose between technical upgrades and financial liability. Under the regulations, platforms must either implement phishing-resistant login systems or guarantee full compensation and insurance coverage for all user losses resulting from security incidents. This policy provides a strong financial incentive for platform operators to find that raising security levels is the more economical choice in the long run.
This measure is part of a multi-layered regulatory response linked to Circular 26EC32, published on June 2, 2026. The SFC is continuously issuing a series of guidelines to raise security levels across the financial sector as AI-driven cyber threats increase, reflecting its commitment to making Hong Kong a secure global digital asset hub.
This trend of strengthening security is also clearly visible in global markets. Under the European Union's (EU) MiCA framework, the European Securities and Markets Authority (ESMA) is conducting more rigorous reviews of whether virtual asset custodians have sufficient security and resilience standards. Hong Kong's latest regulation is expected to bring the security competitiveness of local platforms up to a world-class level in line with these international trends.
Virtual asset platforms in Hong Kong are expected to invest significant technical costs and manpower for system overhauls over the next year. However, experts evaluate these expenditures as an essential investment to secure investor trust in the long term and for Hong Kong to gain a regulatory advantage in the global digital asset market.
Specifying that platforms take responsibility in the event of a security incident demonstrates the regulatory philosophy of the Hong Kong authorities, which prioritizes user protection. This goes beyond a simple technical change; it is a process of the virtual asset industry reaching a level of maturity comparable to institutional finance, and it is likely to serve as an important reference case for regulatory authorities in other regions in the future.
Investors should carefully review the announcements of the platforms they use and prepare to adapt to new authentication methods. While the introduction of passkeys based on hardware keys or biometric authentication may be somewhat cumbersome at first, it will provide a level of security incomparable to existing OTPs in terms of asset protection.


This content is for information and commentary only and is not investment advice.
Join the reader conversation
Read reactions to this article and leave your own note.