Get your free and exclusive +45-page Authentication Analytics Whitepaper
Back to Overview

Hong Kong SFC bans OTPs for Crypto in favor of Passkeys

Hong Kong's SFC banned OTP logins for crypto platforms and internet brokers. Learn the July 2027 deadline, passkey options and what VATPs must do now.

Vincent Delitz
Vincent Delitz

Created: July 17, 2026

Updated: July 17, 2026

Hong Kong SFC bans OTPs for Crypto in favor of Passkeys
WhitepaperBanking Icon

Banking Passkeys Report. Practical guidance, rollout patterns, and KPIs for passkey programs.

Get the Report
Key Facts
  • On July 9, 2026, Hong Kong's Securities and Futures Commission (SFC) issued Circular 26EC35 requiring internet brokers and virtual asset trading platform operators (VATPs) to stop using one-time passwords (OTPs) for client login and device binding.
  • Firms must switch to phishing-resistant authentication such as passkeys or cryptographically bound devices, with a hard deadline of July 8, 2027. Large internet brokers are expected to move immediately.
  • Phishing attacks accounted for 57% of security incidents reported to the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) in 2025, part of a record 15,877 incidents, up 27% year over year.
  • The circular is not login-only hygiene. Firms must also improve surveillance, client notifications and incident response, and senior management can be held accountable for client losses when controls fail.

1. Introduction: Why Hong Kong's SFC banned OTP logins for crypto platforms#

Hong Kong has spent years building a licensed virtual-asset market. By mid-2026 the city had a small but growing list of SFC-licensed VATPs alongside traditional internet brokers that serve retail traders through web and mobile channels. Authentication sat at the center of that growth story in the wrong way: OTP-based login remained the default even as phishing and account takeover campaigns scaled up.

On July 9, 2026, the SFC moved from encouragement to enforcement. In Circular 26EC35 the regulator told internet brokers and VATPs to cease using OTPs for client login and device binding and to adopt phishing-resistant authentication instead. Passkeys and bound devices are named explicitly as acceptable paths.

This post covers four practical questions compliance and product teams are already asking:

  1. Who must comply and which authentication flows are in scope?
  2. Why did the SFC decide OTP is no longer defensible for login and device binding?
  3. What should replace OTP, and where do passkeys fit?
  4. How can firms reach the July 8, 2027 deadline without breaking conversion or support operations?

2. What Circular 26EC35 requires#

The SFC's July 2026 circular is narrow in scope but firm in tone. It does not rewrite Hong Kong's entire cybersecurity rulebook. It targets two high-risk moments in the client journey:

  • Client login to internet trading or VATP accounts
  • Device binding, when a client registers or links a new phone or computer to an account

For those two processes, OTP must go. The regulator expects phishing-resistant authentication implemented as soon as practicable and no later than 12 months from the circular date, which sets July 8, 2027 as the outside compliance date.

2.1 Who is in scope#

The circular addresses:

  • Internet brokers: SFC-licensed corporations engaged in internet trading for Type 1 (securities), Type 2 (futures), Type 3 (leveraged FX) and/or Type 9 (asset management) activities where funds are distributed through internet-based facilities
  • SFC-licensed virtual asset service providers (VASPs): the circular notes that this currently means VATP operators, as virtual asset trading platforms are the only type of virtual asset service under Schedule 3B of Hong Kong's Anti-Money Laundering and Counter-Terrorist Financing Ordinance

Retail banking under the Hong Kong Monetary Authority (HKMA) is a separate perimeter. HKMA has its own e-banking authentication guidance and has been pushing stronger customer authentication for years, but this July 2026 rule is an SFC intermediaries measure focused on brokers and crypto platforms.

2.2 What stays unchanged#

The ban applies to login and device binding only. If a platform still uses OTP for other step-up scenarios outside those two entry points, that use is not automatically covered by this circular. In practice most teams will still review the full authentication map because any remaining OTP path can become the weakest link attackers pivot to.

Existing device bindings do not need a forced mass re-enrollment on day one. The requirement bites when clients log in or register a new device using methods that must become phishing-resistant by the deadline.

2.3 Timeline and expectations for large brokers#

Firm typeExpected timing
Large internet brokersImplement phishing-resistant login and device binding immediately
Other internet brokers and VATPsAs soon as practicable, latest July 8, 2027
Monitoring, notifications and incident responseStrengthen now, not after the auth migration finishes

The SFC had already encouraged firms to stop using SMS OTP in its February 2025 cybersecurity review. The July 2026 notice turns that warning into a dated migration obligation.

Substack Icon

Subscribe to our Passkeys Substack for the latest news.

Subscribe

3. Why OTP failed as the front door for trading accounts#

OTP felt reasonable when mobile trading apps were new. Send a six-digit code, verify possession of a phone, move on. Attackers adapted faster than the UX aged.

3.1 Real-time phishing beats delayed codes#

Modern phishing kits do not just steal passwords. They proxy the entire login session in real time, so an SMS code, email code or authenticator-app OTP the victim types on a fake broker page is forwarded to the genuine service within seconds. The diagram below traces how that relay plays out.

From the platform's perspective the login looks legitimate. That pattern is especially painful in crypto and leveraged trading, where stolen sessions can lead to rapid asset movement. Binance and Coinbase were early passkey adopters partly because account takeover in crypto has immediate financial impact.

3.2 Hong Kong's 2025 incident data#

HKCERT recorded 15,877 cybersecurity incidents in 2025, a 27% jump year over year. Phishing accounted for 8,973 incidents, or 57% of the total, ahead of botnet activity (18%) and malware (15%). The SFC circular describes 2025 campaigns in which fraudsters impersonated brokers, regulators or government bodies through SMS links and relayed credentials and OTPs to conduct unauthorized transactions.

The risk was already visible before 2025. In November 2024 the [SFC restricted assets totaling HK91 million](https://apps.sfc.hk/edistributionWeb/api/news/list-content?lang=EN&refNo=24PR200) across accounts held at four brokers, including Interactive Brokers Hong Kong, after suspected market manipulation or fraud involving unauthorized trades through hacked accounts. The HK91 million figure refers to assets covered by the restriction notices, not confirmed client losses.

That is the same regional pattern regulators elsewhere have been closing off. Singapore's MAS pushed banks away from SMS OTP in 2024. The UAE's CBUAE set a March 2026 phase-out for SMS and email OTP in banking. Hong Kong's SFC rule is the crypto and internet-broker slice of that broader Asia-Pacific shift.

3.3 Why app-based OTP is still OTP#

Teams sometimes ask whether moving from SMS to an authenticator app satisfies the spirit of the rule. The SFC's language targets OTP as a class for login and device binding, not just delivery over SMS or email. A time-based code the user can type into a fraudulent page still fails the phishing-resistance bar the circular is trying to enforce.

StateOfPasskeys Icon

See how many people actually use passkeys.

View Adoption Data

4. Compliant alternatives: passkeys, bound devices and hardware keys#

The SFC does not prescribe a single vendor stack. It describes outcomes: authentication that cannot be replayed through a fake website or message channel.

4.1 Passkeys (FIDO2 / WebAuthn)#

Passkeys are the most direct replacement for OTP login in consumer-facing apps. They use public-key cryptography. During registration, the authenticator creates a key pair. The platform stores the public key while the private key stays on the device or in an OS-backed credential manager. At login, the platform sends a fresh, random challenge. The authenticator signs it with the private key and binds the response to the platform's relying party ID and origin. The platform then verifies the signed challenge with the stored public key. A fresh challenge is valid only once, so an intercepted response cannot be replayed for a later login.

That origin binding is the technical reason passkeys resist phishing, as the diagram below contrasts: a credential created for exchange.example simply will not authenticate on a look-alike domain like exchange-secure-login.example, even if the page looks identical.

For VATPs and brokers, passkeys also align with how major crypto platforms already think about security. Public-key authentication is native to the asset class. Rolling out passkeys is less of a conceptual leap for crypto users than for legacy password-only retail banking cohorts.

Practical rollout notes:

  • Support platform authenticators on iOS, Android and desktop browsers first
  • Offer Conditional UI on web login where client capabilities allow it
  • Plan passkey recovery before marketing "passwordless trading"
  • Track native app passkeys separately from web; crypto users split heavily across mobile apps and browser access

4.2 Bound devices with cryptographic verification#

The SFC also accepts device binding where a client registers a phone or computer using securely enrolled device attributes plus an additional factor such as biometrics or an account password. This resembles the digital token model used by Singapore banks after the MAS OTP phase-out, though Hong Kong's crypto context adds higher withdrawal velocity and hotter fraud targets.

The circular does not prescribe a fixed list of device attributes. In practice, secure enrollment usually means the app creates a device-specific cryptographic key and registers its public key with the account. The private key remains in hardware-backed storage such as the iOS Secure Enclave or Android Keystore. The platform can combine that proof with an app instance or device identifier and integrity signals. A copied device ID alone is not enough: the device must prove possession of the enrolled private key when it logs in.

Device binding can work well when clients mostly trade from one phone. It gets harder when users expect seamless multi-device access unless the platform also supports synced passkeys or a controlled re-binding flow with cooling-off rules.

4.3 Hardware security keys#

FIDO2 hardware security keys can hold passkeys and provide a phishing-resistant option, especially for high-value accounts, institutional sub-accounts or staff access. The circular explicitly names passkeys and bound devices as examples but does not prescribe one authenticator form factor.

4.4 Credential limits and session controls#

The circular carries forward two controls that are easy to miss in a passkey migration:

  • Firms generally should not allow more than three passkeys and/or three bound devices per trading account. Requests above that limit require an adequate assessment.
  • Clients must not be able to disable session timeout. The SFC gives 30 minutes as an example maximum idle period unless a longer session is justified, assessed and closely monitored.

These requirements matter for shared corporate accounts. Instead of binding many devices to one credential set, firms should consider individual sub-accounts and controls over concurrent logins.

Demo Icon

Try passkeys in a live demo.

Try Passkeys

5. Detection and response: the other half of the circular#

Authentication migration is only the prevention layer. Circular 26EC35 also expects monitoring, client communication and incident response improvements in parallel.

Firms should be able to:

  • Detect irregular logins, new-device activity, unusual trading patterns and suspicious withdrawals
  • Notify clients promptly of successful logins and higher-risk account changes, including passkey creation or revocation, through multiple channels where applicable
  • Restrict or suspend accounts when fraud indicators appear
  • Respond quickly to hacking incidents and keep clients informed about emerging impersonation scams

The SFC also lists concrete monitoring signals: transactions at unusual hours, rapid losses, large volumes in illiquid or small-cap stocks, activity shortly after a password reset or new device binding, bindings from unusual locations, multiple accounts bound to one device, logins from multiple locations within a short period and unusually long sessions. Firms must retain enough device and login data to investigate these patterns.

SMS is not banned as a notification channel. The circular allows email, SMS and push notifications for account alerts. The restriction concerns using OTP as an authentication factor for login and device binding.

Dr Eric Yip, the SFC's Executive Director of Intermediaries, framed the requirement as needing "holistic measures combining prevention, detection, response and education." He added that licensed firms should strengthen their first line of defence with robust authentication, stay alert to suspicious activities and respond before harm is done. Product teams should read that as a signal that a passkey launch without telemetry upgrades will not satisfy supervisors.

6. Implementation roadmap to July 8, 2027#

Twelve months is enough time only if work starts immediately. A realistic plan for VATPs and internet brokers looks like this:

6.1 Phase 1: Auth inventory and architecture (Q3 2026)#

  • Map every login, device-binding and recovery path that still uses OTP
  • Decide the primary consumer method (usually passkeys) and fallback policy for unsupported devices
  • Align Web and native app ceremonies so clients are not pushed back to OTP on one surface only
  • Review third-party identity, white-label apps and API-only clients that share the same account directory

6.2 Phase 2: Build, pilot and measure (Q4 2026 - Q1 2027)#

  • Implement WebAuthn registration and assertion flows with explicit RP ID and related origins coverage for marketing domains
  • Run pilots on new registrations first, then returning users with passkey append prompts after successful password login
  • Instrument creation rate, login success, error codes and fallback rate by OS and browser before full cutover
  • Update support playbooks for lost devices, sync issues and cross-platform passkey mismatches
  • Test the new authentication methods adequately before deployment, then roll them out to all clients as soon as practicable with clear implementation guidance

6.3 Phase 3: OTP cutover and compliance evidence (Q2 - July 2027)#

  • Disable OTP for login and new device binding on the deadline path
  • Notify the firm's SFC case officer immediately if meeting the 12-month implementation period becomes difficult; the circular does not establish a general legacy-client exception
  • Produce audit evidence: auth policy changes, penetration test results, monitoring rule updates and customer notification logs

Large internet brokers should compress this timeline dramatically and treat immediate adoption as the operational baseline, not a stretch goal.

Igor Gjorgjioski Testimonial

Igor Gjorgjioski

Head of Digital Channels & Platform Enablement, VicRoads

We hit 80% mobile passkey activation across 5M+ users without replacing our IDP.

Passkeys that millions adopt, fast. Start with Corbado's Adoption Platform.

Start Free Trial

7. Liability, governance and what senior management should expect#

The SFC did not frame Circular 26EC35 as optional best practice. The press statement reminds senior management that they are "ultimately responsible for implementing appropriate controls to protect client accounts and assets" and that the regulator "will hold them accountable for any client losses that arise from lapses in their controls."

The circular assigns particular responsibility to the Manager-in-Charge of Overall Management and Oversight and the Manager-in-Charge of Information Technology. It also requires hacking incidents to be reported to the SFC immediately, followed by root cause analysis, a detailed incident report and remedial action.

That wording changes the internal business case. A delayed passkey rollout is not just a product backlog item. It is a control deficiency with potential client-loss exposure if phishing incidents continue through the migration window.

Governance teams should treat the program as a joint technology, risk and customer-education workstream, with board-visible metrics on:

  • Share of logins still using OTP
  • Passkey adoption and successful assertion rate by platform
  • Mean time to detect and suspend suspicious withdrawals after credential compromise
  • Volume and outcome of impersonation-scam client notifications

8. Regional context: Hong Kong joins the OTP exit lane#

Hong Kong's move fits a wider Asia-Pacific pattern documented across Corbado's compliance coverage:

  • Singapore (2024): MAS and ABS pushed retail banks from SMS OTP toward cryptographic digital tokens
  • Malaysia (2025): BNM's updated RMiT framework expects phishing-resistant MFA and device-bound credentials
  • UAE (March 2026): CBUAE ends SMS and email OTP for banking authentication
  • Brazil (March 2026): CMN and BCB resolutions mandate auditable MFA for financial infrastructure

Hong Kong's version is distinctive because it lands first on licensed crypto trading platforms and internet brokers under the SFC, at a moment when spoofing dominated local incident statistics. It is also one of the clearest regulator statements that passkeys belong in the compliance conversation, not only in developer blogs.

Enterprise Icon

Get free passkey whitepaper for enterprises.

Get for free

9. How Corbado can help#

Circular 26EC35 creates a dated migration with real liability attached. VATPs and brokers need to replace OTP on login and device binding, keep unsupported devices from breaking and prove to supervisors that the new flows actually work in production.

Corbado Connect helps teams ship passkey-first login on top of an existing identity stack without migrating user databases. For crypto platforms that still run password-plus-OTP today, that means adding append flows, fallback routing and gradual rollout controls while OTP is phased out on the two regulated surfaces.

What teams typically use during an SFC-style migration:

  • Activation analytics to see where passkey enrollment stalls after sign-in
  • Login funnel telemetry to compare completion rates against legacy OTP paths by OS and browser
  • Error clustering for WebAuthn failures so support is not guessing from ticket volume alone
  • Gradual rollout rules to suppress broken environments while adoption ramps

10. Conclusion#

Hong Kong's SFC did not ban every OTP in financial services. It banned OTP where phishing does the most damage: client login and device binding for internet brokers and VATPs. The approved direction is phishing-resistant authentication, with passkeys and bound devices named as practical examples.

The operational deadline is July 8, 2027, with large internet brokers expected to move now. The harder part is not selecting passkeys on a slide deck. It is migrating a live trading population, keeping fraud monitoring current and showing supervisors that the new controls actually reduced account takeover risk.

For crypto platforms that already market security as a brand promise, the circular is both a compliance task and a chance to align product UX with the cryptography their users already understand.

Corbado

About Corbado

Corbado is the Authentication Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: where passkeys, passwords, OTP, social login and fallback journeys succeed, stall or fail, which devices and browsers create friction, and when an OS update silently breaks login. Two products: Corbado Observe layers process mining and observability across authentication journeys. Corbado Connect adds managed passkeys with analytics built in alongside your IDP. VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert

Frequently Asked Questions#

Did Hong Kong ban SMS and email OTP for all financial services?#

No. The July 9, 2026 SFC circular targets internet brokers and licensed virtual asset trading platform operators. It prohibits one-time passwords for client login and device binding only. Other OTP use cases outside those two flows are not covered by this specific ban.

When must Hong Kong crypto platforms stop using OTP logins?#

Licensed internet brokers and VATPs must implement phishing-resistant authentication for client login and device binding as soon as practicable and no later than 12 months from the circular date, which sets a compliance deadline of July 8, 2027. Large internet brokers are expected to adopt the new methods immediately.

Are passkeys compliant with the Hong Kong SFC OTP ban?#

Yes. The SFC explicitly names passkeys as an example of a phishing-resistant authentication method alongside bound devices. Passkeys based on FIDO2/WebAuthn use public-key cryptography tied to the legitimate service origin, which addresses the real-time OTP relay attacks that motivated the circular.

Can Hong Kong VATPs still use authenticator-app TOTP instead of passkeys?#

The SFC states that OTP is not a phishing-resistant authentication solution and should not be used for client login or device binding. App-based TOTP still relies on a shared secret that users can be tricked into entering on a fake site, so it does not satisfy the spirit of the circular even if delivery is not via SMS or email.

What happens if a Hong Kong broker fails the SFC authentication deadline?#

The SFC reminds senior management that they are ultimately responsible for controls that protect client accounts and assets. The regulator said it will hold firms accountable for client losses arising from control lapses, which raises the operational and financial stakes beyond a simple technical migration.

How does the Hong Kong SFC OTP ban relate to HKMA banking rules?#

They are separate regimes. The July 2026 SFC circular covers securities and virtual-asset intermediaries under SFC supervision. HKMA e-banking guidance applies to authorized institutions such as banks, so firms must assess the rules that apply to their own regulatory perimeter.

Next Step: Ready to implement passkeys at your bank? Our +90-page Banking Passkeys Report is available.

Get the Report

Share this article


LinkedInTwitterFacebook