Login
Sign Up
Woofun AI reports that the Securities and Futures Commission (SFC) in Hong Kong has issued a directive requiring crypto platforms to eliminate one-time passwords (OTPs) for client logins and device registration by July 8, 2027. This regulatory shift explicitly deems OTPs insufficient for these critical security processes, mandating a transition to more robust authentication methods while leaving other OTP uses unaffected. Existing device bindings for current clients are exempt from immediate re-verification, though large internet brokers must deploy enhanced security measures immediately, whereas the broader industry is granted a 12-month implementation period. Structural controls around login protocols take effect from the outset, compelling firms to immediately upgrade client notifications, account monitoring, surveillance, and incident-response procedures. The SFC further requires immediate account suspension or restriction upon detection of any fraud indicators.
The regulatory urgency stems from a surge in sophisticated phishing campaigns reported in 2025, where fraudsters exploited weak authentication layers. Attackers distributed text messages containing malicious links that impersonated legitimate brokers or purported to be official requests from regulators and government bodies. Victims were tricked into surrendering login credentials and one-time passcodes on fake sites, enabling hackers to hijack sessions and move funds. To counter these specific threat vectors, the SFC mandates rigorous monitoring of irregular logins, new-device activity, trading patterns that deviate from a client’s history, and fund or virtual-asset withdrawals. Clients must receive prompt notices of successful logins and higher-risk changes, such as new device additions or passkey modifications.
Per Woofun AI, the technical standards emphasize passkeys, where the private key remains on the user’s device or with a passkey manager, ensuring the credential works only with the legitimate service. Alternatively, the SFC accepts device binding built around robust verification, incorporating an additional factor like a biometric check or an account password. These safeguards are directly tied to the firms’ duty to shield clients from theft and fraud. The regulator clarified that firms can be held accountable for client losses if inadequate measures fail to prevent, detect, and stop large-scale unauthorized transactions following a hacking incident. This liability framework ensures that security upgrades are not merely procedural but legally binding obligations.
Senior managers overseeing overall operations and information technology bear ultimate responsibility for the rollout of these new security protocols. The compliance deadline of July 2027 marks a critical juncture, requiring platforms to drop OTPs at key login points while simultaneously enhancing fraud detection capabilities. This transition aims to protect clients through the change, ensuring that the removal of OTPs does not create new vulnerabilities but rather strengthens the overall security posture against evolving cyber threats.