The Hong Kong Securities and Futures Commission (SFC) has mandated that internet brokerages and virtual asset trading platforms cease using one-time passwords for customer logins and device binding. This move aims to combat rising impersonation fraud attacks. Instead, the SFC requires the adoption of more robust authentication methods, such as passkeys and enhanced device binding, to prevent credential theft. Large internet brokerages must implement these changes immediately, while other institutions have a 12-month deadline. Additionally, firms are instructed to enhance monitoring of abnormal activities, including logins, trades, and withdrawals, and to promptly inform customers of any security breaches. Senior management will be held accountable for any customer losses due to inadequate internal controls.