[In-Depth Review] The Era of Private Certificates: Finance Must Actively Utilize Them Too

Kyoomin Cho, Head of the Autonomous Support Department, Financial Security Institute

‘Naver, Kakao, PASS, ShinhanSign, KB Mobile Certificate...’ are all private authentication services used for this year’s National Tax Service year-end tax settlement simple authentication. Not only ICT companies such as big tech and telecommunications companies but also traditional financial institutions have entered the private authentication market, competing by emphasizing their own advantages such as convenience and security to attract subscribers. With the total number of private authentication subscribers already reaching tens of millions, it is no exaggeration to say that the era of private authentication has arrived.

The reason why leading domestic companies are actively developing and promoting private authentication is the perception that private authentication will serve as a ‘gateway’ in the digital and platform era. Since everyone must go through authentication (login) as the first step to use non-face-to-face online services, it is strategically interpreted that securing the private authentication market, which corresponds to the digital gateway, can not only lock in their own customers but also be advantageous for acquiring new customers.

Furthermore, with the MyData project in the financial sector, which was fully implemented this year, mandating the application of at least one private authentication, the utilization and influence of private authentication are expected to expand into the data field. Accordingly, competition among businesses to secure leadership in the private authentication market is expected to intensify further.

The Ministry of Science and ICT operates the ‘Electronic Signature Certification Business Operator Evaluation and Recognition System’ to enhance the reliability of private authentication and enable subscribers and users to reasonably select private authentication. Businesses seeking recognition as electronic signature certification operators must be evaluated by designated evaluation institutions such as the Financial Security Institute on technical requirements of private authentication, facility and data protection measures, and personal information protection measures, and the Korea Internet & Security Agency, the recognition institution, decides on the recognition. Since the evaluation and recognition system began in October 2010, a total of 16 businesses have acquired the qualification of electronic signature certification operators to date.

Although the financial sector must focus on digital innovation, it also shows a somewhat cautious attitude toward adopting external services due to concerns such as security. Banks are focusing on promoting and expanding their own private authentication businesses rather than external ones, and other sectors such as insurance companies are applying private authentication from big tech companies from the perspective of customer convenience, but the pace is slow. The old public certification, introduced in 1999, is still actively used even after 20 years.

Digital transformation is an inevitable trend that no one can avoid, and the financial sector needs to be more proactive in adopting private authentication. The private authentication market has already passed the initial stage and entered a full growth phase where distribution and partnerships are rapidly expanding, so the financial sector must accept these changes in the authentication environment and respond agilely according to their digital strategies.

Also, since private authentication is used in areas closely related to personal assets such as fund transfers, stock trading instructions, and MyData integrated authentication, security must be prioritized. Unauthorized issuance or hacking of private authentication by others can directly lead to electronic financial accidents. When adopting private authentication, acquiring the qualification of ‘electronic signature certification operator’ should be a mandatory requirement, and the security level of private authentication, such as identity verification level and security vulnerabilities, as well as additional procedures required for application, must be thoroughly reviewed. Attackers always focus on the ‘weakest link’ in the security chain.

Jo Gyumin, Head of Autonomous Support Department, Financial Security Institute