South Korea’s digital identity blockchain prepares to add new credentials, go international

South Korea’s blockchain-based national mobile digital identity system is not expected to be fully operational until 2024, but it is already in use for identification such as the mobile driver’s license (mDL) and people with a special status in the country have digitized their national ID. mDL alone functions as a digital ID in a number of areas of use.

Young people acquiring ID for the first time could be mobile from the start, and a legal instrument could accelerate the roll-out of ID across government.

Beom Soo Park, Deputy Director of the Digital Security and Security Policy Department of the Ministry of Home Affairs and Security explained the system and its origins to Biometric update in Seoul. The answers were given through an interpreter.

Blockchain ecosystem already in first gear

Three-quarters of a million South Koreans already have a blockchain-based mDL on their phones, as of November 30, having signed up during the first months of the scheme which was initially tested in January 2022. The Digital Safety division expects registrations to increase as awareness of the credential and its benefits grows.

Anyone who passes the test for the first time can now choose to go digital only, or take the traditional route with the plastic card with an IC chip. The photo card license is the first step for them and all other Koreans in obtaining a digital ID.

The system is free to use for both residents and dependent parties (service providers).

The process starts with a user requesting to generate an mDL. This initiates a series of blockchain commands to generate public/private key infrastructure (see diagram). The user then holds the plastic card to their smartphone which detects the IC through an NFC reader, asks for a 4-digit password and then reads the chip.

No personally identifiable information is stored on the driver’s license chip, but a key that is checked against the central server. The phone camera scans the driver’s face and generates a facial biometric template to compare with the one held on the central server, and the phone number, a significant identity marker in South Korea, is also checked.

The physical card is still the key. “The personal identification step is essential to make the system more reliable,” Park said of the first human verification of a driver collecting his driver’s license from a government office.

One problem holding people back from creating an mDL is that they still have older generations of the physical license, without the chip.

This first mobile credential already includes features for user control. The app produces a digital image of it that closely resembles the physical ID. Users can choose to hide certain data fields. Then a vigorous shaking of the smartphone will unblock these parts.

So far, only the half ID and address fields are customizable as the developers try to avoid overcomplicating the early releases.

Use cases online and in the physical world are already available with mDL, giving it basic digital status. Mr. Park takes out his iPhone for a personal demonstration of his own ID. When he goes to a website for a government service, when he navigates to a page with a form, the website pushes to open his ID app. The app notifies him of which data fields the form is asking for, and he can grant permission.

This may require his biometrics (face scan), a password, or both, depending on the level of security required.

In a retail store, a user might want to buy an age-restricted product. The app can generate a QR code that store staff can scan using an existing barcode reader. The QR code requires user biometrics and only lasts a few moments to prevent sharing by minors. It also only gives a yes/no answer for age requirements, rather than providing a date of birth.

Stores, banks, rental car offices and personal mobility services are ready to accept the digital ID, and the government is encouraging the next wave, such as credit card companies, insurance brokers and securities firms, to follow suit.

Legal update

“There is no single law that governs ID,” says Park. “There are separate laws for different departments and different purposes – driving licences, alien registration, registration for the disabled, resident registration – all of which have a picture and personal data registered in a government department, which are reliable and can be used for banks and private institutions.”

This means that a raft of new legislation may be needed to cover each government department to allow for citizen registration and digital passports. Such legal change is slow, so in parallel, the identity team is pushing to insert a new article in the Electronic Government Act to allow any public institution that issues physical identification to also issue mobile ID at the same time, Park said.

However, there is little progress at the moment in changing even this law.

National digital identity, verifiable identification and a path to a passport

The next step for the country’s mobile identification system and app is to integrate the national ID, known as Resident Registration. Although people with excellent service to the state are already signing up. These include war veterans, pro-democracy activists and police and soldiers wounded in the line of duty. Total figures for the number of people registered are not available, although what is described as a large proportion of them are registered.

Through 2023, several groups will be qualified before official, general activation in 2024.

“Giving a passport is more complex because you need to get the agreements from other countries and it needs to be incorporated into ICAO certifications,” says Park. “Currently, we trust different countries about the written content of a passport, and we have established specifications for electronic passports at ICAO, but we do not have an agreed specification for digital passports.”

South Korea is following in the footsteps of countries such as the Netherlands, signing MoUs with individual countries.

Part of the scheme architecture is that when a person already has one mobile ID, and therefore has undergone human verification for the collection of the physical biometric document, they will be able to use it to obtain subsequent mobile digital IDs.

The mDL blockchain is managed by the National Police Agency and Park notes that there will be additional costs for other departments when they bring their credentials to the network. His Ministry of the Interior and Security must provide servers for the resident registration.

Block producers, read nodes and monitoring

In addition to the cost, previous attempts to introduce electronic resident registration failed because the opposition and NGOs saw it as unnecessary and as a risk of introducing Big Brother. Park’s team analyzed the issues: “Without blockchain technology, there could be concerns about a surveillance state.”

In a non-blockchain system, when a service provider verifies a user’s details against a server or vice versa, a user orders the central server to send details to the service provider, and it is easy to monitor the traffic.

“We wanted to alleviate this concern that the government knows everything about what people are doing,” Park said. In the ecosystem of block producer (BP) nodes and read-only nodes, only the government can create IDs, but government agencies do not have access to the read nodes. Read nodes will only be used by private verifiers.

The system currently only accepts government-issued identification, but officials hope to add verifiable identification and official certificates of proficiency. They also hope to incorporate a way for legal entities to have a digital identity.

“For the government, this is going to be the infrastructure for digital information sharing,” says Park. “Service providers are becoming more and more machines – they are not human anymore,” he said, building the case for the need for digital identities.

The mobile digital identity is optimized for online and offline use, and it proves to be more efficient than KYC that relies on banks and government departments, says Park. It still has its critics. Decentralize Identity Alliance Korea is concerned that the government’s blockchain is too large and could have a monopoly.

Blockchain is also seen as a way to provide continuity of service when technical failures or attacks can affect servers. This was made clear to Koreans in October when a fire on servers used by Kakao, the national super app, caused power outages.

If a user loses a phone, they can simply start over – as long as they have the original physical credentials.

The authority is working to share insights into the system with other authorities and entities such as the EU. “We are in the consultation phase with 3 to 4 countries to ensure interoperability,” says Park about the international perspective, but cannot yet name these countries.

Korean code, global hardware

Park remained tight-lipped about the cost of the system, calling it a sensitive topic. Previous attempts to introduce digital ID were not approved in part because of cost, he admitted.

Software is being developed for the government by secure printer and coins KOMSCO, Raonsecure, which previously deployed a blockchain-based biometric identity to the South Korean military and LG subsidiary LG CNS (which recently deployed a blockchain-based digital ID to its own employees and developed facial biometrics payment systems.

So far, it’s only the government app, but the authority hopes to work with first-party apps like Apple Wallet and Samsung Pay to host Korean digital ID. “They generally have higher security and integrity of the data stored compared to third-party apps,” Park said.

“It is not that Google is excluded. Samsung has control over the hardware and the personal data will be stored on the hardware, so that’s why we want to work with Samsung as a first party, he adds.

Global development and interoperability is struggling to get off the ground due to a known problem: “It would be great if we could work with Google and Apple, but for the Korean government, to actually contact them and encourage them to work with us ​is quite difficult.”

The chain is expanding, privately

Park’s team is working with other technologies to allow blockchains to work together, such as a Universal Resolver. They are also looking at ways private institutions can add information to the government mobile ID such as religion, politics, medical records and banking history.

These will not be controlled or issued by the government, but can be layered on top of government-confirmed information as new layers, Park said.

Users should still have control over how their data is used, but this can lead to privacy concerns.

“Of course, if the government is determined to monitor what’s going on, it can ask private institutions or companies to let it monitor what’s happening on the read nodes,” Park points out. “But that’s not a problem unique to blockchain.”

Article topics

biometrics | blockchain | privacy | digital ID | digital identity | facial biometrics | mDL | mobile app | national ID | South Korea | verifiable identification

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *