Hong Kong SFC forces crypto platforms to abandon SMS authentication

The Hong Kong Securities and Futures Commission has ordered licensed crypto trading platforms and online brokers to replace SMS-based authentication with anti-phishing login methods within the next 12 months.
Summary
- Hong Kong’s SFC has banned SMS-based authentication for licensed crypto platforms and online brokers.
- Firms have 12 months to implement phishing-resistant login methods such as passkeys and hardware authentication keys.
- The move comes as phishing scams accounted for $306 million in crypto losses during Q1 2026.
According to the Hong Kong Securities and Futures Commission (SFC), virtual asset trading platforms (VATP) and online traders should stop relying on one-time passwords delivered via SMS, email, or app-generated codes and instead use strong authentication systems that are difficult for attackers to compromise.
The regulator announced new cybersecurity requirements on Thursday as part of revised customer account protection standards.
Under the new framework, firms will be required to introduce authentication mechanisms that resist phishing and device encryption. The SFC has identified passkeys, registered devices protected by cryptographic authentication, and hardware authentication keys as acceptable alternatives. All licensed platforms must complete the transition within one year.
Hong Kong is tightening security standards for crypto firms
The latest rules come as Hong Kong continues to expand its regulated digital goods market while raising operating standards for licensed businesses. Earlier this week, the SFC also announced changes to the Certified Virtual Asset Platform Practitioner program following discussions with industry representatives.
The administrator is committed to separating the certification exam from your mandatory course, reducing the cost of the exam, and improving the learning materials.
Regulated by the Hong Kong Securities and Investment Institute (HKSI) under SFC standards, the Digital Assets Professionals Accreditation Program serves as Hong Kong’s professional qualification for the digital assets sector. The program covers the basics of blockchain, digital asset products, and anti-money laundering compliance.
Recent regulatory work has gone beyond licensing and professional standards. Last month, Hong Kong confirmed that its first regulated stablecoins are expected to enter the market between the middle and second half of 2026 after the Hong Kong Monetary Authority granted issuer licenses to two bank-backed institutions in April.
According to the HKMA, the issuance process follows the institutions’ existing business plans, while the licensing framework is intended to support financial innovation, protect users, and maintain financial and financial stability.
Returning to cybersecurity measures, the SFC said the stricter authentication requirements are in response to growing phishing and fraud risks affecting financial platforms. Data cited by the regulator showed that fraud and fraud accounted for 57% of security incidents reported to the Hong Kong Cyber Cybera year 2025.
Dr. Ye Zhiheng, executive director of the Coordination Department of the China Securities Regulatory Commission, said that financial institutions need integrated methods of protection, detection, response, and education to protect customer accounts from increasing fraud attacks.
Phishing scams continue to devastate crypto investors
The SFC’s decision follows another period of heavy losses linked to phishing and social engineering attacks in the cryptocurrency industry.
Industry data showed phishing attacks and social engineering scams accounted for $306 million of the crypto industry’s $482 million in total security losses in the first quarter of 2026.
Recently, a crypto investor reportedly lost nearly $1 million after authorizing a phishing token transaction on Ethereum, contributing to a total of $366 million in phishing-related losses during the first half of 2026.
Various incidents have been going on throughout the year. Researcher Ryan Coleman reported that the owner of the fund lost about 1.65 million dollars after connecting to a fake cryptocurrency exchange and signing a malicious contract that gave attackers unlimited access to the fund.
Earlier, on May 25, an on-chain ub-block analyst warned that fraudsters used Google ads to impersonate the decentralized exchange Uniswap, and the campaign reportedly stole more than $400,000 from victims.
Requests for stronger wallet security are also coming from within the industry. Binance founder Changpeng Zhao previously urged users to use better security measures after an investor lost $50 million in an address poisoning scam in December 2025.



