TechFlow News, July 9, according to The Block, the Securities and Futures Commission (SFC) of Hong Kong issued a circular requiring licensed virtual asset trading platforms and internet brokerages to stop using one-time passwords (OTP) for user login and device binding within 12 months, and instead adopt stronger authentication methods such as Passkeys and device binding. This move stems from deception attacks accounting for up to 57% in 2025 Hong Kong cybersecurity incidents.
The SFC also requires all institutions to establish monitoring systems for suspicious logins, transactions, and withdrawals, and to timely notify customers of abnormal account activities; large brokerages must implement new authentication measures immediately. The SFC emphasized that if institutional internal control defects lead to customer losses, relevant parties will be held accountable.



