|

Hong Kong gives crypto platforms one year to ditch one-time passwords or cover user losses

Hong Kong approves 4 new crypto trading platform licenses in regulatory push

Hong Kong crypto platforms have till July 8, 2027, to ditch one-time passwords for consumer logins and machine registration beneath new safety guidelines.

By then, licensed digital asset service suppliers and web brokers should use authentication that may resist phishing for consumer logins and the registration or binding of units, in accordance to a July 9 circular.

The regulator stated one-time passwords, or OTPs, don’t meet that customary and shouldn’t be used for these two processes.

The rule applies solely when shoppers log in or hyperlink a brand new machine, leaving different OTP makes use of unchanged.

Firms don’t have to make current shoppers rebind units which might be already linked. Large web brokers are anticipated to deploy the stronger strategies instantly, whereas the broader group has a 12-month implementation interval.

Hong Kong approves 4 new crypto trading platform licenses in regulatory push
Related Reading

Hong Kong approves 4 new crypto trading platform licenses in regulatory push

The licensed platforms must meet rigorous standards and undergo evaluations to ensure compliance with global security practices.
Dec 18, 2024
·
Oluwapelumi Adejumo

Controls round these logins take impact from the outset. Firms should evaluate and enhance consumer notifications, account monitoring, surveillance and incident-response procedures now.

The SFC requires corporations to droop or limit an account as quickly as they spot indicators of fraud.

A deadline with legal responsibility connected

Timeline showing Hong Kong SFC requirements from July 9, 2026 to July 8, 2027, including immediate monitoring duties, passkeys, bound devices and senior management accountability.

The order follows phishing campaigns reported in 2025. Fraudsters despatched textual content messages containing hyperlinks that impersonated brokers and purported to be requests from regulators or authorities our bodies.

Clients handed over login credentials and one-time passcodes on pretend websites, giving attackers a path to hijack periods and transfer funds.

FCC robocall rule could make phone accounts a richer target for crypto attackers
Related Reading

FCC robocall rule could make phone accounts a richer target for crypto attackers

The FCC’s robocall proposal could turn phone accounts into richer targets for SIM swaps, recovery abuse, and crypto theft.
Jun 21, 2026
·
Gino Matos

The SFC desires corporations to monitor irregular logins, new-device exercise, buying and selling that deviates from a consumer’s historical past, and fund or virtual-asset withdrawals.

Clients ought to obtain immediate notices of profitable logins and higher-risk modifications, together with new units and the creation or revocation of passkeys.

Passkeys use public-key cryptography rather than a reusable secret {that a} consumer can kind right into a pretend website.

The credential is designed to work solely with the professional service, whereas the non-public key stays on the user’s machine or with a passkey supervisor.

The SFC additionally accepts machine binding constructed round strong verification, with a further issue similar to a biometric test or an account password.

The regulator tied these safeguards to corporations’ obligation to defend shoppers from theft and fraud.

It stated a agency may be held accountable for consumer losses when insufficient measures fail to forestall, detect and cease large-scale unauthorized transactions after a hacking incident.

The trick big crypto exchanges are using to mitigate hacks, yet can still lock up your money
Related Reading

The trick big crypto exchanges are using to mitigate hacks, yet can still lock up your money

Exchanges can reimburse hacked balances, but they can’t stop the instant shock to liquidity and market depth.
Dec 1, 2025
·
Gino Matos

Senior managers overseeing general operations and knowledge know-how are finally accountable for the rollout.

The actual check comes by July 2027, when platforms should drop OTP at key login factors whereas enhancing fraud detection sufficient to shield shoppers by means of the change.

The publish Hong Kong gives crypto platforms one year to ditch one-time passwords or cover user losses appeared first on CryptoSlate.

Similar Posts