Regulatory clarification sets stage for major FIDO biometrics uptake in South Korea

South Korea has eliminated a significant barrier to the usage of the FIDO protocol for passwordless authentication by confirming that it falls outside the scope of a requirement for user consent to process biometrics.

Members of the FIDO Alliance Korea Working Group (FKWG) submitted an official inquiry to the Korea Personal Information Protection Commission (KPIPC), which has responded by stating that the consent rules do not apply to biometric processes performed entirely on user-controlled devices. Since biometric data is not collected, stored or processed by the organization requesting FIDO authentication, the process does not qualify as processing personal information under the Personal Information Protection Act.

The KPIPC is in the midst of a process to significantly strengthen South Korea’s data protection measures in response to a major data breach in the country.

The petition from FKWG members was led by biometric authentication provider Octatco.

“This decision eliminates the biggest barrier to deploying FIDO-based biometric authentication in Korea,” says FKWG Vice Chair Kieun Shin in the announcement. “Enterprises can now adopt secure, phishing-resistant authentication without the friction of collecting additional consent.”

The Financial Security Institute (FSI) of South Korea had issued guidance in 2023 distinguishing between server-based biometric authentication systems and those like FIDO that work on-device. The question of consent requirements was not directly addressed, however, leading many Korean businesses, including financial institutions, to avoid the potential regulatory issue by declining to adopt FIDO authentication.

The result was a heavy operational burden, complex legal and compliance reviews, a reduced market appetite for biometric multi-factor authentication (MFA) and slower adoption of phishing-resistant passwordless authentication, FKWG says.

The FKWG discussed the implications of the clarification at a workshop on Friday in Seoul, South Korea, during a session titled “No Consent Required – Regulatory Breakthrough for FIDO Biometrics in South Korea.”

The clarification could add a major tailwind to FIDO adoption in South Korea, where bodies like the Electronics and Telecommunications Research Institute (ETRI) have recommended FIDO adoption and 21 of the country’s largest 23 banks had FIDO authentication in place all the way back in 2018.

Article Topics

biometric authentication  |  biometrics  |  FIDO Alliance  |  passwordless authentication  |  South Korea