Back to News

Hong Kong requires crypto platforms to upgrade login security to prevent account theft

Hong Kong’s regulator has ordered licensed crypto trading platforms to adopt stronger login methods within 12 months to stop phishing attacks that steal user passwords. This affects both the platforms and their users, aiming to protect investors and improve overall security in the digital asset market.
Hong Kong's Securities and Futures Commission (SFC) has ordered all licensed crypto trading platforms and online brokers in the city to implement phishing-resistant login requirements within the next 12 months. The directive, published July 9, sets a compliance deadline of mid-2027.

The move targets a persistent vulnerability in digital asset markets: credential theft. Phishing attacks – where bad actors trick users into handing over passwords or two-factor codes – have drained millions from exchange accounts globally. The SFC's new rules push platforms to adopt authentication methods that cannot be easily intercepted or replayed.

While the regulator did not specify exact technology, the term "phishing-resistant" typically refers to hardware-based security keys (FIDO2/WebAuthn) or biometric verification tied to a user's device. Standard SMS codes and app-based one-time passwords, both common in crypto, are vulnerable to real-time phishing proxies. The SFC is effectively telling platforms to eliminate that weak link.

The 12-month timeline gives operators room to retool their login flows and educate users. Hong Kong has been tightening its grip on the sector since introducing its mandatory licensing regime for virtual asset service providers in 2023. A handful of platforms have already secured or applied for licenses; others folded or left the city.

For traders, the practical effect is straightforward: expect to register a security key or enroll facial recognition before you can trade. That extra step, while friction, shuts down the most common account takeover vector. The SFC's order applies to both retail and professional investor accounts under its supervision.

The directive arrives as global regulators step up pressure on exchange security. Japan's FSA already mandates hardware-based MFA for certain crypto services. The UK's FCA has flagged phishing as a top enforcement priority. Hong Kong's rule makes it the first major Asian hub to codify a specific anti-phishing standard for digital assets, not just a general "strong authentication" recommendation.

The key date for platforms: July 2027. Any firm that fails to meet the requirement risks license conditions or, in a worst case, revocation. For now, the market read the news as bullish – tighter security lowers the probability of exchange breaches, which historically trigger selloffs and erode retail confidence. Whether that bullish read holds will depend on how smoothly the rollout goes.

Related news