The Hong Kong Securities and Futures Commission (SFC) just dropped a bomb that will rattle every exchange with a HK license. On May 22, 2025, they issued a circular that effectively kills SMS, email, and app-based one-time passwords (OTP) for customer login and device binding. The mandate? Switch to passkeys or other phishing-resistant authentication methods. And if you think that's tough, wait until you read the fine print: senior management is now personally liable for customer losses from security breaches.
This isn't a recommendation. It's a hard deadline. Large brokers must comply immediately. The rest get 12 months. I've been watching the regulatory tea leaves since my days tracking the ICO mania in 2017, and this is the sharpest pivot I've seen from any major financial hub.
Let's rewind. The SFC had already flagged OTP risks back in February 2025 guidance. But the conversion from 'guidance' to 'command' happened fast. Why? Because the numbers are ugly. According to the circular, phishing attacks now account for 57% of all cybersecurity incidents in the region. Total cyber incidents jumped 27% in 2025. The regulator saw the trendline and decided to act before it became a crisis.
Here's the core technical reality: passkeys (based on FIDO2/WebAuthn) are cryptographically superior to OTP. They bind authentication to a specific device and require biometric or hardware key confirmation. A hacker can't phish what they can't intercept. But the devil is in the deployment. I've audited enough exchange code to know that migrating an existing user base to passkeys is a logistical nightmare. You have to handle backup keys, device recovery, cross-platform synchronization — and if you mess up the recovery flow, you permanently lock users out of their accounts.
The immediate market impact is a sharp cost spike for licensed exchanges. HashKey, OSL, and the other five virtual asset trading platforms in Hong Kong will have to rebuild their login systems, retrain support staff, and potentially lose users who find passkeys inconvenient. I've already heard chatter from my contacts in the local community: 'We don't want to hassle our high-net-worth clients with hardware tokens.' But now they have no choice.
Now for the contrarian angle that everyone is missing. This regulation isn't primarily about stopping phishing. It's about giving the regulator a leverage point to shrink the ecosystem. By making senior management personally liable (Information Point 23), the SFC turns every security incident into a potential career-ending event for C-suite executives. This creates an enormous incentive for exchanges to under-invest in product velocity and over-invest in compliance theatre. The narrative shifts faster than the block height — just six months ago Hong Kong was a 'crypto hub' darling. Now it's morphing into a fortress where only the biggest and most capital-intensive players can survive.
My experience during the 2022 bear market taught me to read the silence as signal. When I organized those networking dinners in South Mumbai, the absence of chatter was a bottoming indicator. Similarly, the silence from the non-licensed exchanges right now tells me they're watching closely. If Hong Kong's move becomes a template, the entire offshore exchange model (Binance, OKX, Bybit) could face a compliance domino effect. Singapore's MAS and the UK's FCA are already under pressure to adopt similar measures.
Let's look at the winners and losers.
Winners: - Passkey providers like Okta, Yubico, and Apple (which already has a robust passkey ecosystem). - Hardware wallet makers (Ledger, Trezor) — their devices can double as FIDO2 authenticators. - Decentralized exchanges (Uniswap, GMX) — because users fleeing centralized OTP friction may opt for self-custody solutions.
Losers: - Small to mid-tier Hong Kong licensed exchanges that lack the engineering muscle to overhaul their authentication stack in 12 months. - Traders who rely on SMS OTP for speed and simplicity; they may experience downtime or inconvenience. - Any exchange that tries to implement passkeys poorly — a single security flaw in the recovery mechanism could trigger the new liability clause.
I've been in this game long enough to know that regulatory shock waves are rarely singular events. The SFC's circular includes a clear signal: 'Operators must notify customers of key account events immediately, and maintain audit trails of all authentication changes.' This is a red flag for privacy-focused users. The mandate to monitor suspicious activity (Information Point 20) essentially forces exchanges to implement behavioral analytics on user logins — a level of surveillance that could alienate the cypherpunk crowd.
Community is the only consensus that truly matters, and right now the Telegram groups are split. Some see it as a necessary evolution toward 'institutional-grade security.' Others call it a backdoor to KYC/AML expansion. I’ve heard one trader say, 'We don't need the SFC to protect us from phishing; we need better education.' Fair point, but the regulator has made its choice.
What happens next? Here's my forward-looking take: by Q3 2026, if Hong Kong successfully phases out OTP without a major incident (or a catastrophic lockout event), expect the UK and Singapore to follow within 6 months. But if a high-profile hack exploits a vulnerability in the passkey implementation itself, the entire approach could backfire. The blind spot here is the assumption that passkeys are invulnerable. They're not. Device theft, malware on the user's endpoint, or even a compromised biometric database could still result in losses. The SFC's solution raises the bar, but it doesn't eliminate the underlying risk.
The real question isn't whether your exchange will comply. It's whether you, as a trader, trust the new system more than the old one. I'm watching the deposit rates on HashKey and OSL over the next 90 days. If they drop, the narrative shifts again. But if they stabilize, Hong Kong just wrote the blueprint for the next decade of crypto security regulation. Stay tuned — the block height is about to get a lot faster.