Hong Kong SFC orders crypto platforms to replace SMS authentication

Hong Kong's Securities and Futures Commission has directed licensed crypto trading platforms to phase out SMS-based authentication, pushing exchanges toward stronger security measures to protect investor accounts.

What the SFC directive requires

The SFC issued a circular instructing virtual asset trading platforms operating under Hong Kong's licensing regime to replace SMS one-time passwords with more robust authentication methods. The order applies to platforms regulated by the SFC, not voluntary upgrades at the discretion of individual exchanges. For related coverage, see Canada Crypto Week Returns July 20–26, Celebrating the Future of Web3, Digital Assets and AI.

The directive targets authentication used across account login, withdrawal authorization, and other sensitive account operations. Platforms relying on SMS codes as their primary or sole second factor will need to transition to alternatives that meet the SFC's updated security expectations. For related coverage, see Reuters: UAE Crypto Companies Show Resilience Amid US-Israel and Iran Conflicts.

Hong Kong has been actively shaping its crypto regulatory framework in recent months. The city granted its first stablecoin licenses to major financial institutions earlier this year, signaling a broader push to bring digital asset services under tighter oversight. For related coverage, see Top Crypto News for April 10: Bitcoin Network Activity Slows.

Why SMS authentication falls short

SMS-based two-factor authentication has well-documented weaknesses. SIM-swapping attacks allow bad actors to hijack a victim's phone number by convincing a carrier to transfer it to a new SIM card, intercepting any codes sent via text message.

SS7 protocol vulnerabilities in telecom networks can also allow interception of SMS messages without physical access to the device. For crypto platforms, where account compromise can lead to irreversible loss of digital assets, these risks are particularly acute.

Stronger alternatives include time-based one-time password apps such as Google Authenticator, hardware security keys like YubiKey, and passkey-based authentication. These methods are not vulnerable to the same remote interception techniques that affect SMS.

The SFC's move aligns with a broader trend among financial regulators globally. Other jurisdictions in Asia-Pacific, including Taiwan, which recently passed its own Virtual Asset Service Act, have been raising baseline security and compliance standards for crypto platforms.

What exchanges and users should expect

Licensed platforms in Hong Kong will need to update their authentication workflows. This likely means redesigning login flows, transaction confirmation steps, and account recovery processes to eliminate SMS as an option.

Users currently relying on SMS codes should expect to be prompted to enroll in an alternative authentication method. Platforms will likely guide users through setting up an authenticator app or registering a hardware key before SMS is fully deprecated.

The transition may also affect onboarding. New users signing up for Hong Kong-regulated exchanges will likely encounter non-SMS authentication requirements from the start, adding a small friction point but meaningfully raising the security baseline.

For Hong Kong's regulated crypto market, the directive reinforces the SFC's positioning as a hands-on regulator. Details of the announcement indicate the commission views platform security standards as central to investor protection in the digital asset space.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.