Hong Kong gives crypto firms one year to ditch OTPs

Hong Kong’s regulator ordered licensed crypto platforms and internet brokers to stop using one-time passwords for logins and device binding by July 8, 2027 and warned firms may be liable for client losses.

A July 9 circular from Hong Kong’s Securities and Futures Commission requires licensed virtual-asset platforms and internet brokers to stop using one-time passwords for customer logins and for registering or binding devices by July 8, 2027. The regulator warned firms could be held liable for client losses if weak controls allow large-scale unauthorized transactions.

The rule covers only the two specific processes of signing in and linking devices. Other uses of OTPs can continue and platforms do not have to force customers to rebind devices already registered. Controls around the specified login points take effect immediately, while firms have up to 12 months to complete the technical changes.

The circular lists passkeys and strong device-binding methods as acceptable alternatives. Passkeys use public-key cryptography: the service holds a public key while the private key stays on the user’s device or in a passkey manager, and the credential is designed to work only with the legitimate site. Device binding that combines robust verification with an extra factor, such as a biometric check or an account password, is also acceptable.

Firms must improve monitoring, notification and incident-response arrangements now. They are required to review client-notification protocols and enhance account monitoring and surveillance to detect suspicious activity. Firms should suspend or restrict accounts when signs of fraud appear and monitor for irregular login patterns, new-device activity, trading that departs from a customer’s normal history, and withdrawals of funds or digital assets.

Customers should receive prompt alerts for successful logins and for higher-risk changes, including the addition of a new device or the creation or revocation of passkeys.

The regulator linked the technical requirements to its duty to protect customers from theft and fraud, noting firms may be held accountable for losses if safeguards fail to prevent, detect and stop widespread unauthorized transactions after a breach. Senior managers responsible for overall operations and information technology are identified as ultimately responsible for implementing the new measures.

The guidance follows phishing campaigns reported in 2025, when fraudsters sent text messages impersonating brokers or regulators and directed customers to fake websites. Victims entered login credentials and OTPs on those sites, enabling attackers to hijack sessions and move assets. The July 8, 2027 deadline aims to reduce the risk that reusable or easily intercepted codes can be used to bypass account protections as platforms transition to phishing-resistant methods.

Content on BlockPort is provided for informational purposes only and does not constitute financial guidance.
We strive to ensure the accuracy and relevance of the information we share, but we do not guarantee that all content is complete, error-free, or up to date. BlockPort disclaims any liability for losses, mistakes, or actions taken based on the material found on this site.
Always conduct your own research before making financial decisions and consider consulting with a licensed advisor.
For further details, please review our Terms of Use, Privacy Policy, and Disclaimer.

Articles by this author

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.