South Korea’s digital identity blockchain prepares to add new credentials, go international
South Korea’s blockchain-based national mobile digital identity system is not due to be fully operational until 2024, but it is already in use for credentials such as the mobile driving license (mDL) and people with a particular status in the country have digitized their national ID. The mDL alone acts as digital ID in a wide set of uses.
Young people acquiring credentials for the first time can go mobile from the outset and a legal instrument may accelerate the rollout of credentials across government.
Beom Soo Park, deputy director of Digital Safety & Security Policy Division of the Ministry of the Interior and Safety explained the system and its genesis to Biometric Update in Seoul. Answers were given through an interpreter.
Blockchain ecosystem already in first gear
Three-quarters of a million South Koreans already have a blockchain-based mDL on their phones, as of 30 November, after signing up in the first few months of the scheme originally piloted in January 2022. The Digital Safety division expects registrations to accelerate as awareness of the credential and its benefits grow.
Anyone passing their test for the first time now can choose to go digital only, or take the traditional route with the plastic card with an IC chip. The photocard license is the first step for them and all other Koreans in acquiring digital ID.
The system is free to use for citizens and relying parties (service providers) alike.
The process begins by a user requesting to generate an mDL. This sets off a series of blockchain commands to generate public/private key infrastructure (see diagram). Then the user simply holds the plastic card to their smartphone which detects the IC through an NFC reader, requests a 4-digit passcode and then reads the chip.
No personally identifiable information is stored on the driving license chip, but a key which is checked against the central server. The phone camera scans the face of the driver and generates a face biometric template to compare with that held on the central server, and the phone number, a significant marker of identity in South Korea, is also checked.
The physical card is still key. “The in-person identification step is crucial to make the system more reliable,” said Park of the initial human check of a driver picking up their driving license from a government office.
One issue holding people back from creating an mDL is that they still carry older generations of the physical license, without the chip.
This first mobile credential already incorporates features of user control. The app produces a digital image of what looks much like the physical credential. Users can choose for certain data fields to be obscured. Then a vigorous shake of the smartphone will unblock those parts.
So far only the fields for half the ID number and address can be customized as the developers try to avoid overcomplicating the early releases.
Use cases online and in the physical world are already available with the mDL, giving it a foundational digital status. Mr. Park takes out his iPhone for a personal demonstration of his own ID. Going to a website for a government service, when he navigates to a page with a form, the site pushes to open his ID app. The app notifies him as to what data fields the form is requesting and he can give permission.
This may require his biometrics (face scan), a password or both, depending on the security level required.
In a retail setting, a user may want to buy an age-prohibited product. The app can generate a QR code which the shop staff, using an existing barcode reader, can scan. The QR code requires user biometrics and only lasts a few moments to prevent any under-age sharing. It also only relays a yes/no answer for age requirement, rather than giving a date of birth.
Shops, banks, rental car offices and personal mobility services are ready to accept the digital credential and the government is encouraging the next wave, such as credit card companies, insurance brokers and securities firms to follow suit.
“There’s no single law that governs ID,” says Park. “There are separate laws for different departments and different purposes – driver’s license, foreigner registration, registration for people with disabilities, resident registration – that all have a picture and personal information that are registered on a government department, which are reliable and can be used for banks and private institutions.”
This means a raft of new legislation may be required to cover each government department to allow resident registration and digital passports. Such legal change is slow and so in parallel, the identity team is “pushing to insert a new article in the Electronic Government Act to allow any public institution that issues physical identification to also issue mobile ID at the same time,” said Park.
There is little progress at the moment, however, with amending even this act.
National digital identity, verifiable credentials and a path to passports
The next step for the country’s Mobile Identification system and app is integrating the national ID, known as the Resident Registration. Though people of distinguished service to the state are already enrolling. These include war veterans, democratic campaigners and police and soldiers wounded in duty. In the 2018 census, there were 664,000 people in the distinguished service category. Overall figures for the number of these who have registered are not available, although what is described as a large proportion of them have enrolled.
Through 2023 more groups will become eligible ahead of official, general activation in 2024.
“Providing a passport is more complex because you need to get the agreements from other countries and it has to be incorporated into ICAO certifications,” says Park. “For now, we have trust with different countries on the written content of a passport and we have established specifications for electronic passports at ICAO, but we don’t have a specification agreed on digital passports.”
South Korea is following in the path of countries such as the Netherlands, signing MoUs with individual countries.
Part of the scheme architecture is that once a person already has one mobile credential, and has therefore undergone human verification for the collection of that physical biometric document, they will be able to use that to acquire subsequent mobile digital credentials.
The mDL blockchain is managed by the National Police Agency and Park notes that there will be further costs to other departments as they bring their credentials to the network. His Ministry of the Interior and Safety will have to provide the servers for the Resident Registration.
Block producers, read nodes and surveillance
As well as cost, previous attempts to introduce electronic Resident Registration failed due to being seen by opposition and NGOs as not necessary and as a risk of introducing Big Brother. Park’s team analyzed the issues: “Without blockchain technology there could be concerns about a surveillance state.”
In a non-blockchain system when a service provider verifies a user’s details against a server or vice versa, a user orders the central server to send details to the service provider, and it is easy to monitor the traffic.
“We wanted to alleviate this concern about the government knowing everything about what people are doing,” said Park. In the ecosystem of block producer (BP) nodes and read-only nodes, only the government can create IDs, but government agencies do not have access to the read nodes. Read nodes will only be used by private verifiers.
The system currently only accepts government issued-identity credentials, but officials hope to add verifiable credentials and official certificates for skills. They also hope to incorporate a way for legal persons to have a digital identity.
“For the government this is going to be the infrastructure for digital information sharing,” says Park. “Service providers are more and more becoming machines – they’re not human anymore,” he said, building the case for the need for digital identities.
The mobile digital identity is optimized for online and offline use and it proves more efficient than KYC that relies on banks and government departments, says Park. It still has its critics. The Decentralize Identity Alliance Korea is concerned that the government blockchain is too big and could have a monopoly.
Blockchain is also seen as a way to provide continuity of service when tech failures or attacks can impact servers. This was made apparent to Koreans in October by a fire at servers used by Kakao, the national super app, leading to outages.
If a user loses a phone, they can simply start again – as long as they have that original physical credential.
The authority is working to share insight into the system with other governments and entities such as the European Union. “We are in the consultation phase with 3 to 4 countries about ensuring interoperability,” says Park on the international outlook, but cannot yet name those countries.
Korean code, global hardware
Park remained tight-lipped about the cost of the system, calling it a sensitive topic. Previous attempts at introducing digital ID failed to be approved partly on cost, he admitted.
Software is being developed for the government by secure printer and minter KOMSCO, Raonsecure, which has previously deployed a blockchain-based biometric identity to the South Korean military and LG subsidiary LG CNS (which has recently deployed a blockchain-based digital ID to its own staff and developed face biometrics payment systems.
So far there is only the government app, but the authority is hoping to work with first-party apps such as Apple Wallet and Samsung Pay as hosts of Korean digital ID. “They generally have higher level safety and integrity of the data stored compared to third-party apps,” said Park.
“It’s not like Google is excluded. Samsung has control over the hardware and the personal data will be stored on the hardware, so that’s why we’d work with Samsung as a first party,” he adds.
Global development and interoperability is struggling to get off the ground due to a familiar issue: “It would be good if we could work with Google and Apple, but for the Korean government, to actually contact them and encourage them to cooperate with us is quite difficult.”
The chain expands, privately
Park’s team is working on other technologies to allow blockchains to work together, such as a Universal Resolver. They are also looking at ways for private institutions to add information to the government-operated mobile ID such as religion, politics, medical records and banking history.
These would not be controlled or issued by the government, but could be added on top of government-verified information as new layers, said Park.
Users should still have control over how data on them is used, but this may lead to privacy concerns.
“Of course, if the government is determined to monitor what is happening, it might ask private institutions or companies to let it monitor what is happening on the read nodes,” Park points out. “But that’s not a problem unique to blockchain.”
this post was updated at 12:55pm Eastern on January 3, 2023 with census data on persons in the distinguished service category.