Hong Kong’s Securities and Futures Commission just told every licensed crypto exchange and online broker in its jurisdiction to ditch one-time passwords and adopt phishing-resistant login systems. They have 12 months to comply. Large internet brokers don’t even get that grace period, they’re expected to move immediately.
The directive, issued as Circular 26EC35 on July 9, arrives at a moment when phishing attacks and account takeovers have become a persistent headache across the digital asset industry. The SFC isn’t asking nicely. Senior management at affected firms will be held personally accountable for client losses that result from cybersecurity control failures.
What the SFC is actually requiring
The circular targets two specific areas: client login authentication and device binding. In plain terms, the SFC wants platforms to make it significantly harder for attackers to impersonate users or hijack sessions, even if they’ve stolen a password.
The regulator explicitly called out one-time passwords as inadequate. OTPs, those six-digit codes texted to your phone, have long been considered a reasonable second factor of authentication. But they’re increasingly easy to intercept through SIM-swapping, man-in-the-middle attacks, and sophisticated phishing pages that relay codes in real time.






