On July 8, 2025, the Hong Kong Securities and Futures Commission (SFC) issued a circular that effectively outlawed one of the most common authentication methods in finance: the one-time password (OTP). This wasn't a suggestion; it was a direct mandate to licensed internet brokers and virtual asset service providers (VASPs) to replace OTP with phishing-resistant authentication, specifically Passkeys, within 12 months. Large firms had to act 'immediately.'
The move came after a wave of SMS phishing attacks that compromised users' accounts, leading to a forensic investigation by the SFC. The circular's language was sharp and unequivocal: OTP is not phishing-resistant. The narrative didn't hold—the simple six-digit code that powered two-factor authentication for decades was now a liability.
The Context: A Regulatory Evolution
To understand why the SFC took such a direct technical stance, we have to look at the historical narrative cycles. In 2020, the SFC issued its first cybersecurity guidelines for licensed corporations. They were broad, principle-based recommendations. By 2025, after a series of high-profile attacks targeting Hong Kong's internet brokers and VASPs, the SFC realized that recommendations weren't enough. The attack surface had grown too large. According to the circular's own data, over 57% of phishing attacks in the preceding year had targeted credential and OTP interception. The SFC had to step in.
The core fact is this: the circular doesn't just suggest better security; it outlaws a specific technology (OTP) and mandates a specific architecture (public-key cryptography via Passkeys). This is a major escalation. It moves regulation from 'comply with the spirit' to 'comply with the code.'
The Core: Tracing the Ghost in the Code
Let me dive into the technical mechanism. The vulnerability of OTP is not a secret. It's a time-based code sent via SMS or generated by an authenticator app. The problem is that SMS is trivially interceptable—SIM swapping, SS7 attacks, or simple phishing sites that capture both password and OTP. The SFC's circular explicitly cites 'man-in-the-middle attacks' and 'SMS phishing' as the trigger. These are not theoretical risks; they've been exploited to drain user accounts across multiple platforms.
Passkeys, on the other hand, are based on asymmetric cryptography. A private key is generated and stored securely on the user's device, protected by biometrics or a PIN. When logging in, the user authenticates locally, and the device cryptographically signs a challenge. No secret is ever transmitted over a network. This eliminates phishing, credential theft, and intercept-based attacks. The SFC is essentially forcing a 'trust-minimized' authentication model—the same principle that underpins blockchain security—into the fiat-crypto bridge.
I hunt the story that the chart hides. Here, the hidden story is the psychological shift. Users were trained to trust a six-digit code that arrived on their phone. That trust was broken by the frequency of attacks. The SFC's move is a direct acknowledgment that the human layer—our tendency to enter OTPs into convincing fake sites—cannot be fixed with education alone. The system itself must be redesigned.
From a sentiment analysis perspective, the market reaction is muted but telling. Licensed exchanges like OSL (BC Technology Group) and HashKey face immediate compliance costs. Their stock prices wobbled, but the broader crypto market didn't flinch. Why? Because this is a niche, regulatory event in a single jurisdiction. But the narrative impact is deeper. The circular sets a new baseline for 'compliance safety.' Platforms that adopt Passkeys quickly can market themselves as more secure than competitors who lag. But there's a catch: the cost of compliance is significant. Based on my consulting experience, integrating Passkey infrastructure, updating user flows, and conducting security audits will cost each licensed platform between $500,000 and $2 million. For smaller players, this could be existential.
The Contrarian: The Blind Spot in the Mandate
Every regulation has a blind spot, and this one is no different. The circular explicitly requires that Passkey credentials be bound to no more than three user devices. On the surface, this limits exposure. But think about the real-world scenario: a user loses their phone, then their backup laptop is stolen. They are left with a single device and no way to recover their Passkey. The circular is silent on account recovery mechanisms. This is the ghost in the machine.
If a user cannot recover their Passkey, they lose access to their accounts. Permanently. The SFC mandates that platforms take responsibility for client losses due to security failures (information point 10), but what about losses due to user error or device failure? The regulation's silence on this is a ticking time bomb.
Another contrarian angle: this mandate may accelerate the centralization of security around platform-controlled recovery systems. To avoid PR disasters, exchanges will build their own recovery processes—potentially introducing new attack vectors like social engineering of customer support. The narrative didn't hold that Passkeys are a panacea. They are a strong layer, but the system is now more complex behind the scenes.
The Takeaway: The Next Narrative Shift
The SFC's Passkey mandate is more than a Hong Kong story. It is a beta test for global regulators. If the next 12 months show a measurable reduction in credential theft, we can expect similar mandates in Singapore, the UK, and the US within 18–24 months. But if a wave of 'lost forever' accounts creates a public outcry, the narrative will pivot from 'security upgrade' to 'accessibility nightmare.'
The real winners here aren't the exchanges or even the users—they are the B2B security service providers offering Passkey implementation, audit, and user education. The market for phishing-resistant authentication just got a government-mandated boost.
I'm mining for meaning in a sea of volatility. The signal is clear: the era of the simple OTP is over. What replaces it will be stronger, but the human factor—the recovery, the training, the empathy for a user who just wants to log in—remains the uncharted territory. The SFC traced one ghost. There are more.