According to the Securities and Futures Commission, Hong Kong's licensed virtual asset trading platforms and internet brokers must phase out one-time password (OTP) authentication for customer logins and device registration within 12 months, replacing it with stronger methods such as passkeys and device binding.
The directive follows a sharp rise in spoofing attacks and account takeovers. The SFC noted that spoofing attacks accounted for 57% of all reported security incidents in 2025, based on data from the Hong Kong Cyber Security Incident Coordination Centre. Firms must also strengthen fraud monitoring systems, notify customers of suspicious activity promptly, and implement customer education programs on phishing and impersonation risks. Large internet brokerage firms were told to adopt the new authentication methods immediately, while the 12-month timeline applies to other licensed entities.