Hong Kong Orders Crypto Platforms to Switch to Phishing-Resistant Logins
The Hong Kong Securities and Futures Commission has issued new regulations that require all virtual asset trading platforms and online brokers in Hong Kong to eliminate one-time passwords and replace them with stronger, phishing-resistant login methods within 12 months.
This move is aimed at combating rising phishing and fraud losses in the crypto industry. According to the SFC, phishing attacks and social engineering scams caused $306 million in losses across the crypto industry in Q1 2026 alone, out of total losses of $482 million. The regulator has specified three categories of acceptable phishing-resistant solutions: passkeys, registered devices using cryptographic verification, and hardware security keys.
The SFC will hold senior management at licensed firms directly accountable for customer losses stemming from inadequate internal controls. This new regulation reflects the evolving global standards for phishing-resistant authentication and aims to protect crypto investors from increasingly complex counterfeiting and fraud attacks.




