
Banking Passkeys Report. Practical guidance, rollout patterns, and KPIs for passkey programs.
Hong Kong has spent years building a licensed virtual-asset market. By mid-2026 the city had a small but growing list of SFC-licensed VATPs alongside traditional internet brokers that serve retail traders through web and mobile channels. Authentication sat at the center of that growth story in the wrong way: OTP-based login remained the default even as phishing and account takeover campaigns scaled up.
On July 9, 2026, the SFC moved from encouragement to enforcement. In Circular 26EC35 the regulator told internet brokers and VATPs to cease using OTPs for client login and device binding and to adopt phishing-resistant authentication instead. Passkeys and bound devices are named explicitly as acceptable paths.
This post covers four practical questions compliance and product teams are already asking:
The SFC's July 2026 circular is narrow in scope but firm in tone. It does not rewrite Hong Kong's entire cybersecurity rulebook. It targets two high-risk moments in the client journey:
For those two processes, OTP must go. The regulator expects phishing-resistant authentication implemented as soon as practicable and no later than 12 months from the circular date, which sets July 8, 2027 as the outside compliance date.
The circular addresses:
Retail banking under the Hong Kong Monetary Authority (HKMA) is a separate perimeter. HKMA has its own e-banking authentication guidance and has been pushing stronger customer authentication for years, but this July 2026 rule is an SFC intermediaries measure focused on brokers and crypto platforms.
The ban applies to login and device binding only. If a platform still uses OTP for other step-up scenarios outside those two entry points, that use is not automatically covered by this circular. In practice most teams will still review the full authentication map because any remaining OTP path can become the weakest link attackers pivot to.
Existing device bindings do not need a forced mass re-enrollment on day one. The requirement bites when clients log in or register a new device using methods that must become phishing-resistant by the deadline.
| Firm type | Expected timing |
|---|---|
| Large internet brokers | Implement phishing-resistant login and device binding immediately |
| Other internet brokers and VATPs | As soon as practicable, latest July 8, 2027 |
| Monitoring, notifications and incident response | Strengthen now, not after the auth migration finishes |
The SFC had already encouraged firms to stop using SMS OTP in its February 2025 cybersecurity review. The July 2026 notice turns that warning into a dated migration obligation.
Subscribe to our Passkeys Substack for the latest news.
OTP felt reasonable when mobile trading apps were new. Send a six-digit code, verify possession of a phone, move on. Attackers adapted faster than the UX aged.
Modern phishing kits do not just steal passwords. They proxy the entire login session in real time, so an SMS code, email code or authenticator-app OTP the victim types on a fake broker page is forwarded to the genuine service within seconds. The diagram below traces how that relay plays out.
From the platform's perspective the login looks legitimate. That pattern is especially painful in crypto and leveraged trading, where stolen sessions can lead to rapid asset movement. Binance and Coinbase were early passkey adopters partly because account takeover in crypto has immediate financial impact.
HKCERT recorded 15,877 cybersecurity incidents in 2025, a 27% jump year over year. Phishing accounted for 8,973 incidents, or 57% of the total, ahead of botnet activity (18%) and malware (15%). The SFC circular describes 2025 campaigns in which fraudsters impersonated brokers, regulators or government bodies through SMS links and relayed credentials and OTPs to conduct unauthorized transactions.
The risk was already visible before 2025. In November 2024 the [SFC restricted assets totaling HK91 million](https://apps.sfc.hk/edistributionWeb/api/news/list-content?lang=EN&refNo=24PR200) across accounts held at four brokers, including Interactive Brokers Hong Kong, after suspected market manipulation or fraud involving unauthorized trades through hacked accounts. The HK91 million figure refers to assets covered by the restriction notices, not confirmed client losses.
That is the same regional pattern regulators elsewhere have been closing off. Singapore's MAS pushed banks away from SMS OTP in 2024. The UAE's CBUAE set a March 2026 phase-out for SMS and email OTP in banking. Hong Kong's SFC rule is the crypto and internet-broker slice of that broader Asia-Pacific shift.
Teams sometimes ask whether moving from SMS to an authenticator app satisfies the spirit of the rule. The SFC's language targets OTP as a class for login and device binding, not just delivery over SMS or email. A time-based code the user can type into a fraudulent page still fails the phishing-resistance bar the circular is trying to enforce.
See how many people actually use passkeys.
The SFC does not prescribe a single vendor stack. It describes outcomes: authentication that cannot be replayed through a fake website or message channel.
Passkeys are the most direct replacement for OTP login in consumer-facing apps. They use public-key cryptography. During registration, the authenticator creates a key pair. The platform stores the public key while the private key stays on the device or in an OS-backed credential manager. At login, the platform sends a fresh, random challenge. The authenticator signs it with the private key and binds the response to the platform's relying party ID and origin. The platform then verifies the signed challenge with the stored public key. A fresh challenge is valid only once, so an intercepted response cannot be replayed for a later login.
That origin binding is the technical reason passkeys resist phishing, as the diagram below
contrasts: a credential created for exchange.example simply will not authenticate on a
look-alike domain like exchange-secure-login.example, even if the page looks identical.
For VATPs and brokers, passkeys also align with how major crypto platforms already think about security. Public-key authentication is native to the asset class. Rolling out passkeys is less of a conceptual leap for crypto users than for legacy password-only retail banking cohorts.
Practical rollout notes:
The SFC also accepts device binding where a client registers a phone or computer using securely enrolled device attributes plus an additional factor such as biometrics or an account password. This resembles the digital token model used by Singapore banks after the MAS OTP phase-out, though Hong Kong's crypto context adds higher withdrawal velocity and hotter fraud targets.
The circular does not prescribe a fixed list of device attributes. In practice, secure enrollment usually means the app creates a device-specific cryptographic key and registers its public key with the account. The private key remains in hardware-backed storage such as the iOS Secure Enclave or Android Keystore. The platform can combine that proof with an app instance or device identifier and integrity signals. A copied device ID alone is not enough: the device must prove possession of the enrolled private key when it logs in.
Device binding can work well when clients mostly trade from one phone. It gets harder when users expect seamless multi-device access unless the platform also supports synced passkeys or a controlled re-binding flow with cooling-off rules.
FIDO2 hardware security keys can hold passkeys and provide a phishing-resistant option, especially for high-value accounts, institutional sub-accounts or staff access. The circular explicitly names passkeys and bound devices as examples but does not prescribe one authenticator form factor.
The circular carries forward two controls that are easy to miss in a passkey migration:
These requirements matter for shared corporate accounts. Instead of binding many devices to one credential set, firms should consider individual sub-accounts and controls over concurrent logins.
Try passkeys in a live demo.
Authentication migration is only the prevention layer. Circular 26EC35 also expects monitoring, client communication and incident response improvements in parallel.
Firms should be able to:
The SFC also lists concrete monitoring signals: transactions at unusual hours, rapid losses, large volumes in illiquid or small-cap stocks, activity shortly after a password reset or new device binding, bindings from unusual locations, multiple accounts bound to one device, logins from multiple locations within a short period and unusually long sessions. Firms must retain enough device and login data to investigate these patterns.
SMS is not banned as a notification channel. The circular allows email, SMS and push notifications for account alerts. The restriction concerns using OTP as an authentication factor for login and device binding.
Dr Eric Yip, the SFC's Executive Director of Intermediaries, framed the requirement as needing "holistic measures combining prevention, detection, response and education." He added that licensed firms should strengthen their first line of defence with robust authentication, stay alert to suspicious activities and respond before harm is done. Product teams should read that as a signal that a passkey launch without telemetry upgrades will not satisfy supervisors.
Twelve months is enough time only if work starts immediately. A realistic plan for VATPs and internet brokers looks like this:
Large internet brokers should compress this timeline dramatically and treat immediate adoption as the operational baseline, not a stretch goal.
Igor Gjorgjioski
Head of Digital Channels & Platform Enablement, VicRoads
We hit 80% mobile passkey activation across 5M+ users without replacing our IDP.
Passkeys that millions adopt, fast. Start with Corbado's Adoption Platform.
Start Free TrialThe SFC did not frame Circular 26EC35 as optional best practice. The press statement reminds senior management that they are "ultimately responsible for implementing appropriate controls to protect client accounts and assets" and that the regulator "will hold them accountable for any client losses that arise from lapses in their controls."
The circular assigns particular responsibility to the Manager-in-Charge of Overall Management and Oversight and the Manager-in-Charge of Information Technology. It also requires hacking incidents to be reported to the SFC immediately, followed by root cause analysis, a detailed incident report and remedial action.
That wording changes the internal business case. A delayed passkey rollout is not just a product backlog item. It is a control deficiency with potential client-loss exposure if phishing incidents continue through the migration window.
Governance teams should treat the program as a joint technology, risk and customer-education workstream, with board-visible metrics on:
Hong Kong's move fits a wider Asia-Pacific pattern documented across Corbado's compliance coverage:
Hong Kong's version is distinctive because it lands first on licensed crypto trading platforms and internet brokers under the SFC, at a moment when spoofing dominated local incident statistics. It is also one of the clearest regulator statements that passkeys belong in the compliance conversation, not only in developer blogs.
Get free passkey whitepaper for enterprises.
Circular 26EC35 creates a dated migration with real liability attached. VATPs and brokers need to replace OTP on login and device binding, keep unsupported devices from breaking and prove to supervisors that the new flows actually work in production.
Corbado Connect helps teams ship passkey-first login on top of an existing identity stack without migrating user databases. For crypto platforms that still run password-plus-OTP today, that means adding append flows, fallback routing and gradual rollout controls while OTP is phased out on the two regulated surfaces.
What teams typically use during an SFC-style migration:
Hong Kong's SFC did not ban every OTP in financial services. It banned OTP where phishing does the most damage: client login and device binding for internet brokers and VATPs. The approved direction is phishing-resistant authentication, with passkeys and bound devices named as practical examples.
The operational deadline is July 8, 2027, with large internet brokers expected to move now. The harder part is not selecting passkeys on a slide deck. It is migrating a live trading population, keeping fraud monitoring current and showing supervisors that the new controls actually reduced account takeover risk.
For crypto platforms that already market security as a brand promise, the circular is both a compliance task and a chance to align product UX with the cryptography their users already understand.
Corbado is the Authentication Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: where passkeys, passwords, OTP, social login and fallback journeys succeed, stall or fail, which devices and browsers create friction, and when an OS update silently breaks login. Two products: Corbado Observe layers process mining and observability across authentication journeys. Corbado Connect adds managed passkeys with analytics built in alongside your IDP. VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
No. The July 9, 2026 SFC circular targets internet brokers and licensed virtual asset trading platform operators. It prohibits one-time passwords for client login and device binding only. Other OTP use cases outside those two flows are not covered by this specific ban.
Licensed internet brokers and VATPs must implement phishing-resistant authentication for client login and device binding as soon as practicable and no later than 12 months from the circular date, which sets a compliance deadline of July 8, 2027. Large internet brokers are expected to adopt the new methods immediately.
Yes. The SFC explicitly names passkeys as an example of a phishing-resistant authentication method alongside bound devices. Passkeys based on FIDO2/WebAuthn use public-key cryptography tied to the legitimate service origin, which addresses the real-time OTP relay attacks that motivated the circular.
The SFC states that OTP is not a phishing-resistant authentication solution and should not be used for client login or device binding. App-based TOTP still relies on a shared secret that users can be tricked into entering on a fake site, so it does not satisfy the spirit of the circular even if delivery is not via SMS or email.
The SFC reminds senior management that they are ultimately responsible for controls that protect client accounts and assets. The regulator said it will hold firms accountable for client losses arising from control lapses, which raises the operational and financial stakes beyond a simple technical migration.
They are separate regimes. The July 2026 SFC circular covers securities and virtual-asset intermediaries under SFC supervision. HKMA e-banking guidance applies to authorized institutions such as banks, so firms must assess the rules that apply to their own regulatory perimeter.
Next Step: Ready to implement passkeys at your bank? Our +90-page Banking Passkeys Report is available.
Get the Report
Related Articles
Table of Contents