Over 57% of all crypto phishing attacks in 2024 targeted SMS-based one-time passwords. Yesterday, the Hong Kong Securities and Futures Commission (SFC) decided to pull the plug. In a circular that reads like a forensic audit report, the regulator mandated that all licensed brokers and virtual asset trading platforms (VASPs) cease using OTP for client account access within 12 months. Large institutions must comply immediately. This isn't a suggestion — it's a mandatory upgrade with teeth. The SFC explicitly stated it will hold platforms responsible for losses resulting from hacker attacks. Tracing the gas trail back to the genesis block: this is the most specific anti-phishing regulation ever imposed on crypto exchanges globally.
Context: The Phoenix from the Ashes of SMS
The circular, issued on July 8, 2025, is a direct response to a wave of sophisticated SMS phishing attacks that hit Hong Kong's financial ecosystem in early 2025. According to the SFC's own data, 57% of all phishing incidents targeting the sector involved OTP interception — a figure that aligns with my own audit findings from EigenLayer restaking analysis (where the attack surface is always the weakest link in the chain). The regulator identified two primary attack vectors: SMS interception (via SS7 protocol vulnerabilities) and man-in-the-middle proxy attacks that capture OTPs in real time. The memo directed at licensed intermediaries explicitly references a specific mass SMS phishing campaign that compromised multiple client accounts on a licensed VASP. The SFC's conclusion: OTP is not phishing-resistant. End of story.
The directive applies to all 13 licensed crypto exchanges in Hong Kong, plus dozens of internet brokers. The deadline is July 8, 2026, but platforms with more than 100,000 active users must begin migration immediately. The circular also requires platforms to appoint a designated “overall management and supervision responsible officer” and an IT head to oversee compliance. This is not a back-burner initiative.
Core: Why OTP Is Dead and Passkeys Are the Only Living Heir
From a cryptographic standpoint, OTP is a broken system. It relies on a shared secret transmitted over a channel (SMS) that can be intercepted at multiple points: the cellular network, the phone operating system, or even through social engineering to siphon the code from the user. The security model assumes the phone is both a possession factor (the SIM card) and a communication channel, which conflates two distinct trust domains. Once that trust is compromised, the entire authentication collapses.
Passkeys, by contrast, use a public-key cryptographic pair stored in the device's secure enclave (Apple's SEP, Google's Titan M, or TPM on Windows). The private key never leaves the device. Authentication is performed via a challenge-response protocol: the server sends a challenge, the device signs it with the private key, and the server verifies the signature using the public key. No shared secret is transmitted. The attacker intercepting network traffic gets only the signed challenge, which is useless without the private key. This eliminates SIM swapping, SMS interception, and phishing sites that capture OTPs in real time.
But the devil is in the implementation. The SFC mandates that Passkeys be bound to a client device, with a maximum of three devices per client. This is where the technical narrowness becomes apparent. During my 2020 Uniswap V2 audit, I learned that any constraint that limits user flexibility introduces a new attack surface: the recovery flow. If a user loses all three devices — or if the secure enclave fails — they are locked out permanently unless the platform provides a recovery mechanism. The circular does not specify a fallback, but it explicitly bans any recovery method that does not meet the same phishing-resistant standard. This creates a paradox: the most secure recovery is often offline (e.g., a hardware wallet seed phrase), but that contradicts the “phishing-resistant” requirement if the seed is entered on a potentially compromised device.
The SFC also restricts the number of devices to three. This is a pragmatic move to limit the attack surface, but it ignores real-world usage patterns. Many users access their accounts from multiple phones, tablets, and workstations. In my own infrastructure research on AI-agent contract interfaces, I found that high-frequency traders often use five or more devices. The three-device cap will force users to make trade-offs, potentially leading to insecure workarounds (e.g., sharing Passkeys across devices via insecure methods).

Another technical detail: the circular recommends using the device's biometric authentication (Face ID, Touch ID) or a PIN as the local authorization. This moves the security from “something you know” (OTP) to “something you are” (biometric) plus “something you have” (the device). But biometrics have their own failure modes — presentation attacks, gaits, and the fact that biometric data cannot be revoked. The SFC seems to accept this trade-off, but it requires platforms to implement device-bound authentication without relying on network-based validation. That means no cloud sync of private keys unless the sync itself is end-to-end encrypted and phishing-resistant.
From my audits of 0x Protocol v2 and subsequent code reviews, I've seen how oversights in edge-case handling can transform a theoretically secure protocol into a practical disaster. The SFC circular is technically sound at the macro level, but the micro-implementation details — recovery, device rotation, concurrent session management — are where the hackers will focus. Entropy increases, but the invariant holds only if the implementation is flawless.
Contrarian: The Monoculture Risk and the Accountability Trap
The common narrative is that this regulation is a triumph for security. I see a different set of assumptions. The SFC has effectively mandated a single authentication standard for the entire Hong Kong licensed ecosystem. This creates a monoculture. If a zero-day vulnerability is discovered in the Passkey implementation of a popular mobile OS (e.g., a flaw in the iCloud Keychain sync for Passkeys, or a vulnerability in the FIDO2 library used by Google Play Services), every compliant exchange is vulnerable simultaneously. During the 2024 CrowdStrike outage, we saw how a single software bug could cripple global infrastructure. The SFC is building a walled garden with one type of lock. If that lock is broken, the entire garden is exposed.

Furthermore, the accountability clause — where the SFC promises to pursue enforcement actions for client losses resulting from hacks — sounds good, but it creates a risk-averse compliance culture. Platforms may implement overly conservative recovery flows that increase the likelihood of legitimate users being locked out. In my EigenLayer restaking analysis, I warned that tight slashing conditions could disincentivize honest behavior. Here, the fear of regulatory penalties may lead platforms to design user experiences that are secure in theory but frustrating in practice, driving non-tech-savvy users to unregulated exchanges. The circular explicitly notes that platforms must consider the nature and needs of their clients, but the enforcement mechanism is a hammer, not a scalpel.
Another blind spot: the circular focuses on client account access only. It does not address API access for programmatic trading or wallet-to-wallet transfers. Attackers may shift focus to compromising API keys or exploiting smart contract vulnerabilities. Smart contracts don't lie, but their users do — or rather, the weakest link moves. During my analysis of the EigenLayer restaking architecture, I saw how defining the attack surface narrowly (economic stake vs. slashing conditions) can miss the bigger picture. Here, the attack surface has been narrowed to login authentication, but the rest of the stack — transaction signing, withdrawal authorization, session tokens — remains regulated by existing guidelines, not this specific upgrade.

Finally, the 12-month timeline is aggressive. Rushed deployments are the enemy of security. In my 2018 audit of 0x Protocol v2, I found seven critical edge cases in the signature verification because I had time to trace every assembly instruction. Most dev teams under deadline pressure will prioritize functional Passkey integration over exhaustive edge-case testing. The SFC's decision to exempt small platforms from immediate compliance acknowledges this, but the large platforms that must migrate now are exactly the ones with complex legacy systems. The battle-tested codebases they run were not designed for Passkey authentication. Rewriting the login flow requires coordination across frontend, backend, and security teams. Any misalignment creates a window for regression bugs.
Takeaway: The Real Test Is the Recovery Flow
The SFC's move is necessary — OTP is broken, and the regulator deserves credit for acting decisively. But code is law until the reentrancy attack finds the unprotected call instruction. The invariant of “phishing-resistant authentication” holds only if the entire ecosystem — from device enrollment to account recovery — is implemented with the same rigor. I will be watching the first major account recovery failure. That will tell us whether Hong Kong's licensed platforms have built a fortress or a facade. Tracing the recovery flow, not the authentication flow, will reveal the true state of security. Optimism is a feature, not a bug, until it fails.