The Hong Kong Securities and Futures Commission (SFC) just dropped a circular that, on the surface, reads like a common-sense security patch: ban one-time passwords (OTP) for licensed crypto platforms, replace them with phishing-resistant methods like Passkeys. But beneath this seemingly straightforward directive lies a tectonic shift in how we define 'secure access' in digital finance. This isn't just about switching a login box; it's about re-architecting the trust model between platforms and their users.
The circular, issued on July 8, 2026, mandates that all licensed internet brokers and virtual asset service providers (VASPs) eliminate OTP as a standalone authentication factor by July 8, 2027. For large entities, compliance begins 'immediately'. The driver? A surge in targeted SMS phishing and man-in-the-middle attacks that siphoned user credentials, leading to significant client asset losses. The SFC cites data that 57% of major security incidents in recent years involved phishing. This is a response to a clear and present danger.
But as someone who has spent years auditing smart contracts and building community trust in the wild west of crypto, I find the solution as provocative as the problem. The SFC recommends Passkeys—a standard built on public-key cryptography where the private key never leaves the user's device. No more interceptable SMS codes. No more gift codes lost in transit. Instead, authentication relies on a local biometric (Face ID or fingerprint) or a PIN, tied to a hardware-backed secure enclave. This is technically elegant. It removes the weakest link: the human tendency to click fake links.
Yet, here is the quiet tension: Code is law, but conscience is the interpreter. The SFC is forcing an industry to adopt a technology that, while cryptographically sound, introduces new vectors of exclusion and fragility. Consider the user who loses their phone. Under OTP, they could request a new code via email or a backup SIM. Under Passkey, if they have not registered a second device—and the SFC caps bound devices at three—they may face a permanent lockout. The circular mentions 'account recovery' but offers no blueprint. In my past work on 'Verifiable Humanhood' using zero-knowledge proofs, I learned that recovery mechanisms are the most complex part of any trust-minimized system. Get it wrong, and you trade phishing risk for a catastrophic single point of failure: device ownership.
Moreover, the compliance burden is asymmetrical. Large platforms like OSL or HashKey can absorb the cost of UX redesign and user education. Smaller licensed VASPs, which already operate on thin margins, face a trilemma: rush an insecure implementation, lose users to friction, or exit the market. The SFC's 12-month window sounds generous, but for a system integrator building secure enclave interactions and fallback recovery, it is tight. I have seen similar mandates in traditional finance—like the push for PSD2 Strong Customer Authentication in Europe—that caused weeks of service disruptions. History whispers, yet few listen.
Contrarian thought: The loudest voice is rarely the most aligned. The market will likely celebrate this as a net positive for security. Bitcoin maximalists will nod at the elimination of a centralized SMS vector. But we must ask: Does forcing Passkeys centralize trust into the hands of device manufacturers (Apple, Google, Microsoft)? Passkeys are not a blockchain innovation; they are a proprietary ecosystem. The private key lives in a phone's Secure Enclave, which is controlled by a corporation that can change its policies overnight. This is a different kind of custody—custody of authentication. And the SFC's insistence on 'no more than 3 bound devices' nudges users toward a single-platform lock-in. Solitude is the only auditor that never sleeps, but here, solitude might mean a bricked account.
There is also the issue of user consent. Many retail investors in Hong Kong are older, non-technical, and comfortable with OTP. Forcing a biometric login may raise privacy concerns about facial data stored locally—even if cryptographically secure. The emotional transition will be friction. I recall building 'The Silent Node' community in 2020: trust is built in silence, broken in noise. Here, the noise of mandatory migration could drown out the signal of safety.
From a regulatory lens, this circular sets a global precedent. No other major jurisdiction has banned OTP outright for crypto platforms. This positions Hong Kong as the strictest environment for digital asset operations. It also clarifies liability: the SFC explicitly states that platforms will be held accountable for losses due to inadequate cybersecurity. This is a powerful deterrent against half-hearted implementations. But it also raises the stakes for every error.
My takeaway is not opposition to Passkeys—they are mathematically superior. Rather, the community must demand transparency in recovery mechanisms, open-source auditing of the implementation, and a safety net for users who do not fit the tech-native profile. The SFC's circular is an opportunity to set a higher standard, but only if we acknowledge that security is not a feature; it is the foundation. And foundations require constant scrutiny, not just a change of lock.
As we move toward a future where AI agents interact on-chain, the authentication layer becomes even more critical. I have argued that human-centric design must prevail. This circular forces that conversation—but it must be paired with accountability for the new dependencies it creates. The loudest voice may champion Passkeys today; the most aligned will be the one that ensures no user is left behind.


