Hong Kong's Securities and Futures Commission (SFC) has ordered internet brokers and virtual asset trading platforms to stop using one-time passwords (OTPs) for client logins and device binding, citing a rise in phishing attacks that have led to account takeovers.
In a circular issued on Thursday, the regulator instructed firms to adopt phishing-resistant authentication measures such as passkeys and device binding for login and device registration. The SFC said OTPs sent by text message or mobile application can be relayed to attackers via fake login pages, allowing intruders to pass authentication checks in real time.
Regulatory response to phishing-driven account takeovers
The SFC linked the move to a series of account hijackings in Hong Kong's markets driven by phishing schemes that harvest client credentials. Late last year, the regulator froze about HK$91 million, roughly $11.7 million, across four brokers, including Interactive Brokers' local unit, after unauthorized trades were executed through compromised accounts.
The circular extends a campaign the SFC has pursued for more than a year as scams targeting broker clients have multiplied. According to the regulator, phishing accounted for 57% of the security incidents reported to the Hong Kong Computer Emergency Response Team Coordination Centre in 2025.
New authentication standards and implementation timeline
The SFC's order is explicit that firms must cease using OTPs for client login and device binding, noting that these methods carry heightened risks now that stronger alternatives are available. Passkeys and bound devices are intended to close the security gap by tying account access to a specific device or hardware credential, rather than to a code that clients can be tricked into entering on fraudulent sites.
Firms are required to implement the new measures as soon as practicable and no later than 12 months from the date of the circular. The regulator indicated that large internet brokers are expected to adopt phishing-resistant authentication immediately.
Broad scope and management accountability
The new rules apply broadly across Hong Kong's regulated markets. They cover licensed corporations dealing in securities, futures and leveraged foreign exchange, as well as asset managers that distribute funds through internet trading and licensed virtual asset trading platforms in the city.
The SFC emphasized that senior management remains ultimately responsible for protecting client accounts and assets. It stated that it will hold executives accountable for any client losses that result from lapses in their firms' security controls.



