BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
Policy

Hong Kong SFC orders crypto platforms to replace SMS authentication

Hong Kong's Securities and Futures Commission (SFC) has ordered crypto platform operators to replace SMS-based authentication with stronger, phishing-resistant alternatives, marking a signifi

AnonymousCryptoCompass newsroom
July 9, 2026
3 min read
NEWS
Hero article visual / chart / editorial image
CryptoCompass editorial visual for policy coverage.

Hong Kong's Securities and Futures Commission (SFC) has ordered crypto platform operators to replace SMS-based authentication with stronger, phishing-resistant alternatives, marking a significant tightening of security standards for the city's regulated virtual-asset industry.

What the SFC is requiring from crypto platforms

TLDR KEY POINTS

  • The SFC issued a circular directing licensed crypto platforms to move away from SMS one-time passwords as an authentication method.
  • Platforms must adopt phishing-resistant authentication, such as app-based or device-bound alternatives.
  • The directive applies to virtual-asset trading platform operators licensed under Hong Kong's regulatory framework.

The SFC published circular 26EC35, which targets licensed virtual-asset trading platforms and online brokers operating in Hong Kong. The order is not a suggestion or best-practice guidance; it is a compliance requirement for regulated entities. For related coverage, see Canada Crypto Week Returns July 20–26, Celebrating the Future of Web3, Digital Assets and AI.

The change goes beyond a minor settings update. Platforms will need to overhaul how they verify user identity during login, withdrawals, and other sensitive account actions. The SFC's list of licensed virtual-asset trading platforms identifies the operators subject to these requirements. For related coverage, see Bitcoin, Ether Lead Sustained Gains for Crypto ETFs.

Why SMS authentication is being phased out

SMS one-time passwords have long been considered a weak link in account security. Attackers can intercept codes through SIM-swap fraud, where a mobile carrier is tricked into transferring a victim's phone number to a new SIM card controlled by the attacker. For related coverage, see Nvidia Crypto Lawsuit Gets Class Certification in California.

Phishing attacks also exploit SMS codes effectively. A user can be directed to a convincing fake login page, enter their password and SMS code, and hand both credentials to an attacker in real time. As FX News Group reported, the SFC is specifically mandating phishing-resistant authentication methods to counter these risks.

Stronger alternatives include hardware security keys, authenticator apps that generate time-based codes locally on a device, and passkeys tied to biometric verification. These methods do not transmit secrets over telecom networks, removing the interception vector entirely.

What this means for Hong Kong's licensed crypto market

Licensed platforms will need to update their login, withdrawal, and account-recovery flows to comply. For operators already using app-based two-factor authentication as an option, the change may involve making it mandatory and disabling SMS fallback. For those still relying primarily on SMS, the engineering and user-migration effort will be more substantial.

Users should expect prompts to enroll in new authentication methods. While the transition may cause short-term friction, the result is materially stronger protection against account takeover, a persistent problem across the crypto industry.

The directive fits within Hong Kong's broader push to build a credible, well-regulated crypto market. The city has been actively developing its stablecoin infrastructure and licensing framework simultaneously, positioning security standards as a prerequisite for institutional trust.

Companies expanding their crypto holdings in the region will need to factor compliance with these authentication standards into their operational planning. The SFC's accompanying announcement signals that enforcement expectations are immediate, not aspirational.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.

Read original article on nftenex.com