The Securities and Futures Commission (SFC) of Hong Kong has implemented a ban on the use of one-time passwords (OTPs) for logging into cryptocurrency trading platforms. This decision aims to combat the rise in phishing scams in a region that is experiencing a notable increase in cybersecurity incidents.
This new rule will require internet brokers and crypto platforms to eliminate SMS, email, and app-based OTPs for client access. Instead, they must transition their login systems to use passkeys and other secure methods designed to thwart phishing attempts. While the compliance deadline extends to 12 months for most platforms, larger brokers are expected to implement changes immediately. The SFC had previously raised concerns about the risks associated with OTPs in a guidance issued back in February 2025. This latest directive makes the changes obligatory.
Understanding the Significance of the Policy Change
This regulatory action comes at a time when Hong Kong is grappling with a surge in cybersecurity threats. In 2025, the region reported a staggering 15,877 cybersecurity incidents, representing a 27% increase from the previous year. Notably, phishing attempts were responsible for 57% of these cases, highlighting the urgent need for improved security protocols.
- 15,877 cybersecurity incidents reported in 2025
- Phishing accounted for 57% of cybersecurity cases
- More than double the 2023 total of 7,752 incidents
- Global phishing losses tied to crypto wallets exceeded $306 million in Q1 2026
Moreover, a recent high-profile attack siphoned off nearly $1 million from a single Ethereum wallet via a phishing signature, underscoring the vulnerability of users in the cryptocurrency landscape.
Next Steps in Crypto Security Regulations
Decentralized crypto platforms are not immune to these threats either. For instance, a recent airdrop phishing scam resulted in the loss of $12,300 from a user in under a minute. Such incidents demonstrate that while the OTP ban is a step forward, it addresses only part of the widespread issue of credential theft in the crypto sector.
Looking Ahead: What to Watch For
The SFC's decision also places senior management responsible for client losses if insufficient cybersecurity measures are in place. Firms that do not meet the 12-month compliance deadline are likely to face regulatory repercussions and potential damage to their reputation. As the pressure increases from Hong Kong, other regulators around the world, including those in Singapore and the UK, may also consider similar actions.
Overall, expected changes in the regulatory landscape regarding secure access methods for crypto platforms may lead to a tightening of standards across the board.
Disclaimer: This material is for informational purposes only and does not constitute financial advice.

