Hong Kong gives crypto platforms one year to ditch one-time passwords or cover user losses
Hong Kong crypto platforms have till July 8, 2027, to ditch one-time passwords for consumer logins and machine registration beneath new safety guidelines.
By then, licensed digital asset service suppliers and web brokers should use authentication that may resist phishing for consumer logins and the registration or binding of units, in accordance to a July 9 circular.
The regulator stated one-time passwords, or OTPs, don’t meet that customary and shouldn’t be used for these two processes.
The rule applies solely when shoppers log in or hyperlink a brand new machine, leaving different OTP makes use of unchanged.
Firms don’t have to make current shoppers rebind units which might be already linked. Large web brokers are anticipated to deploy the stronger strategies instantly, whereas the broader group has a 12-month implementation interval.
Controls round these logins take impact from the outset. Firms should evaluate and enhance consumer notifications, account monitoring, surveillance and incident-response procedures now.
The SFC requires corporations to droop or limit an account as quickly as they spot indicators of fraud.
A deadline with legal responsibility connected
The order follows phishing campaigns reported in 2025. Fraudsters despatched textual content messages containing hyperlinks that impersonated brokers and purported to be requests from regulators or authorities our bodies.
Clients handed over login credentials and one-time passcodes on pretend websites, giving attackers a path to hijack periods and transfer funds.
The SFC desires corporations to monitor irregular logins, new-device exercise, buying and selling that deviates from a consumer’s historical past, and fund or virtual-asset withdrawals.
Clients ought to obtain immediate notices of profitable logins and higher-risk modifications, together with new units and the creation or revocation of passkeys.
Passkeys use public-key cryptography rather than a reusable secret {that a} consumer can kind right into a pretend website.
The credential is designed to work solely with the professional service, whereas the non-public key stays on the user’s machine or with a passkey supervisor.
The SFC additionally accepts machine binding constructed round strong verification, with a further issue similar to a biometric test or an account password.
The regulator tied these safeguards to corporations’ obligation to defend shoppers from theft and fraud.
It stated a agency may be held accountable for consumer losses when insufficient measures fail to forestall, detect and cease large-scale unauthorized transactions after a hacking incident.
Senior managers overseeing general operations and knowledge know-how are finally accountable for the rollout.
The actual check comes by July 2027, when platforms should drop OTP at key login factors whereas enhancing fraud detection sufficient to shield shoppers by means of the change.
The publish Hong Kong gives crypto platforms one year to ditch one-time passwords or cover user losses appeared first on CryptoSlate.

