Hong Kong’s Securities and Futures Commission has ordered licensed virtual asset trading platforms and online brokerage firms to phase out one-time passwords for customer logins and device registration, marking one of the city’s clearest moves yet to raise cybersecurity standards across digital finance.
The regulator said firms must replace one-time password systems within 12 months with stronger authentication methods, including passkeys and device binding. The goal is to reduce the risk of impersonation, phishing, account takeover and unauthorized access to trading accounts.
The directive applies to licensed virtual asset trading platforms and online brokers regulated by the SFC. Larger brokerage firms are expected to move immediately toward the new standards, while smaller firms have been given a longer transition period, with compliance expected by mid-2027.
The SFC said the change follows a sharp rise in spoofing and hacking incidents affecting Hong Kong’s financial sector. According to the Hong Kong Cyber Security Incident Coordination Centre, spoofing accounted for 57% of all reported cybersecurity incidents in 2025, making it the most common category of attack reported that year.
The regulator’s message is direct: one-time passwords, once treated as a standard layer of protection, are no longer strong enough on their own for high-risk financial accounts.
Why the SFC is moving away from one-time passwords
One-time passwords are temporary codes sent by SMS, email, or generated through authentication apps. For years, they have been widely used as a second step after a username and password. But the SFC’s latest order reflects growing concern that these codes can be intercepted, stolen, or manipulated through social engineering.
Criminals increasingly use fake websites, spoofed phone numbers, fraudulent messages and impersonation scams to trick account holders into revealing login details and security codes. Once a code is shared, attackers may be able to access accounts, register new devices, place trades, or submit withdrawal requests.
The SFC said licensed firms must strengthen authentication controls to reduce these risks. In a circular, Yip Chi-hang, executive director of intermediaries at the SFC, said licensed institutions are expected to improve their systems to help prevent phishing and unauthorized account access.
The regulator also instructed firms to deploy tools that can detect suspicious activity, including unusual login attempts, abnormal trading patterns and questionable withdrawal behavior. This means firms are not only being asked to improve how clients log in, but also how platforms monitor activity after access has been granted.
What firms will need to change
The SFC’s directive pushes firms toward authentication methods that are harder to steal or reuse. Passkeys and device binding are at the center of the new approach.
Passkeys use cryptographic verification instead of typed passwords or manually entered temporary codes. In practice, a client may approve access using a fingerprint, facial scan, screen lock or other device-based verification. The authentication is tied to the client’s device and the legitimate service, making it far more difficult for a fake website to capture usable login credentials.
Device binding adds another layer of control by linking an account to a specific phone, computer or other approved device. If an attacker has a password but does not have access to the registered device, the attempt to log in or register another device may be blocked or challenged.
For traders, the result will be a noticeable change in how they access trading platforms. Instead of receiving a code and typing it into a login page, many users will be asked to verify access through a trusted device. This may initially require setup steps, but the long-term aim is to make account access safer and less dependent on information that can be copied or tricked out of a user.
The SFC’s order also covers device registration, a critical point in account security. If criminals can register their own device to a victim’s account, they may gain persistent access. By requiring stronger verification at the device-registration stage, the regulator is targeting one of the key pathways used in account takeover attacks.
Cyber losses are rising
The SFC’s move comes as Hong Kong faces growing cybercrime pressure across financial services. Reported hacking-related financial losses in the city more than doubled from HK$25.5 million in 2024 to HK$62.6 million in 2025. In the first quarter of 2026, hacking-related losses rose nearly 70% year on year to HK$21.2 million.
Those figures help explain the urgency behind the regulator’s campaign. Financial platforms are attractive targets because successful attacks can quickly lead to unauthorized trades, asset transfers or withdrawals. Virtual asset accounts can be especially sensitive because digital assets may move rapidly once withdrawn, and recovery can be difficult.
Spoofing remains a major concern. In these attacks, criminals disguise themselves as trusted companies, regulators, banks, brokers or platform support teams. A victim may receive a message that appears to come from a legitimate platform, warning of suspicious activity or requiring a security update. The message may direct the person to a fake website that captures login details and one-time passwords.
The SFC warned firms to maintain regular communication with clients about emerging threats, including impersonation scams. It also told firms to alert clients about account activity and respond quickly when hacking incidents occur.
Senior managers face accountability
One of the strongest parts of the SFC’s message concerns management responsibility. The regulator emphasized that senior management remains accountable for the adequacy of internal controls. Firms may face consequences if client losses are linked to weak security controls or delayed responses to known risks.
This raises the stakes for platform operators. Cybersecurity is not being treated as a technical matter that can be left only to information technology teams. The SFC is framing it as a governance issue, with direct responsibility at the top of licensed institutions.
For brokers and virtual asset platforms, the directive is likely to require investment in authentication infrastructure, fraud monitoring, staff training and client education. Firms will need to review existing login systems, device registration procedures, withdrawal controls and incident response plans.
They will also need to ensure that security upgrades do not create confusion among clients. A poorly communicated transition can create opportunities for scammers, who may pretend to represent a platform and send fake “upgrade” messages to steal credentials.
What traders should expect
Traders in Hong Kong should expect more platform messages about new login procedures over the coming months. These may include requests to register trusted devices, activate passkeys, update mobile apps or confirm biometric authentication settings.
The shift may feel inconvenient at first, especially for users who access accounts across multiple devices. However, the direction of travel is clear: platforms will rely less on codes that can be copied and more on authentication tied to physical devices and cryptographic credentials.
Traders should take extra care during the transition. Scammers are likely to exploit the change by sending fraudulent emails, text messages or social media posts claiming that urgent action is required. Any instruction to upgrade account security should be verified through the platform’s official website, official app or confirmed customer service channel.
It is also important to avoid clicking links in unexpected messages, even if they appear to come from a known broker or virtual asset platform. A safer approach is to open the platform’s app directly or type the official website address into the browser.
The SFC’s directive also means traders may begin receiving more account alerts. These could include notifications for logins, device changes, trade orders, withdrawals or security setting updates. Such alerts can help identify suspicious activity quickly, but only if users review them and report anything unusual without delay.
Hong Kong tightens digital finance oversight
The order forms part of a broader tightening of cybersecurity expectations in Hong Kong’s financial sector. As trading activity has moved further online, regulators have become more focused on the operational resilience of brokers and virtual asset platforms.
Hong Kong has been positioning itself as a regulated hub for digital assets, but that effort depends heavily on trust in licensed platforms. Stronger cybersecurity rules are central to that trust. If account takeovers and spoofing scams continue to rise, confidence in online trading services can weaken, even when market infrastructure and licensing rules are in place.
The SFC’s latest action shows that minimum security standards are evolving. A password plus a one-time code may no longer be considered adequate protection for accounts that can be used to trade securities or virtual assets. The regulator is now pushing the industry toward authentication systems designed to resist phishing rather than simply add another code-based step.
The practical effect will vary by firm. Larger brokers with more resources may be able to implement passkeys, device binding and advanced monitoring quickly. Smaller firms may need more time to integrate new systems, test them and guide clients through the transition. Still, the compliance path has been set.
A new baseline for account protection
The SFC’s decision does not mean one-time passwords will disappear from every service overnight. But for licensed virtual asset platforms and online brokerage firms in Hong Kong, their role in customer login and device registration is being phased out.
The change reflects a broader global shift in cybersecurity. Attackers have become better at defeating older forms of two-factor authentication, particularly when those systems depend on users reading and entering codes. Passkeys and device-based verification reduce the value of stolen passwords and make phishing attacks harder to complete.
For firms, the new requirements create a clear obligation to modernize security controls and monitor account activity more aggressively. For traders, the change means safer but more structured access to accounts, with greater reliance on trusted devices and verified login methods.
The regulator’s stance is also a warning to the industry: security failures are not just customer service problems. They can become regulatory problems, governance problems and financial liability problems.
As spoofing and impersonation scams become more advanced, Hong Kong’s financial platforms are being told to raise their defenses before the next wave of attacks. The SFC’s order makes stronger authentication the new standard, and firms that continue to rely on one-time passwords will have a limited window to move on.
Strengthen your account security with modern authentication—learn how to create a passkey and reduce phishing and takeover risks.
Disclaimer: The content on this page is provided for general informational purposes only and does not represent the views or financial advice of Toobit. We make no guarantees regarding the accuracy or completeness of this information and shall not be held liable for any errors, omissions, or outcomes resulting from its use. Investing in digital assets involves risk; users should independently evaluate their financial situation and the risks involved. For further details, please consult our Terms of Service and Risk Disclosure.

