The Hong Kong Securities and Futures Commission issued a circular ordering internet brokerage firms and virtual asset trading platforms to overhaul their security infrastructure by eliminating one-time passwords for user logins and device registration.

The enforcement action comes as part of the regulator's ongoing campaign against account takeovers, fraud, and spoofing operations targeting online financial intermediaries. Data from the Hong Kong Cyber Security Incident Coordination Centre shows that spoofing attacks accounted for 57% of all reported security incidents in 2025, the regulator said in a statement on Thursday.

According to the statement, firms must stop using OTPs for customer login and device binding and adopt alternatives such as passkeys and device binding that can prevent impersonation.

The SFC requires implementation "as soon as practicable," with a deadline of 12 months from the circular's issuance date, and said large internet brokerage firms should adopt the new authentication methods immediately.

"To protect client accounts from increasingly sophisticated and varied phishing attacks, a comprehensive approach combining prevention, detection, response, and education is necessary," said Dr. Yip Chi-hang, Executive Director of the Intermediaries Division of the SFC. "Licensed institutions should strengthen their first line of defense through robust authentication solutions, remain vigilant against suspicious activity, and respond swiftly before damage occurs."