Guavy AI Editorial TeamSentiment: 2Clout: 82

Hong Kong Crypto Platforms Must Ditch One-Time Passwords by 2027

The Securities and Futures Commission (SFC) in Hong Kong has ordered licensed crypto platforms to replace one-time passwords (OTPs) for client logins and device binding with more secure methods by July 8, 2027. This move aims to curb phishing attacks that have been stealing credentials and allowing attackers to trigger unauthorized transactions.

The SFC requires firms to use authentication methods that can resist phishing for client logins and device registration. One-time passwords do not meet this standard, according to the regulator.

Firms must review and improve their monitoring and incident-response procedures immediately. The SFC wants them to suspend or restrict an account as soon as they spot signs of fraud. Large internet brokers are expected to deploy the stronger methods immediately, while smaller platforms have a 12-month implementation period.