Why was South Korea’s public certificate system abolished, and how has the situation changed since then?

In this blog post, we’ll examine the background and limitations of South Korea’s public certificate system, the changes in the electronic signature landscape following its abolition, and the future direction of the authentication system.

 

For a long time, public certificates served as the primary means of identity verification for electronic finance and e-commerce in South Korea. When online financial transactions began to take off in earnest, there was a need for a secure authentication method to verify that the parties involved were indeed who they claimed to be. Introduced in response to this need, public certificates were used in various fields—including internet banking, online shopping, and securities trading—and played a crucial role in the growth of South Korea’s electronic finance sector.
However, as time passed, the public certificate system began to reveal several limitations. In particular, its structure—which relied too heavily on specific technologies—along with user inconvenience and institutional limitations that failed to adequately reflect advancements in various authentication technologies, were consistently pointed out. These issues caused inconvenience not only for domestic users but also for overseas users accessing South Korean e-commerce sites, leading to widespread public debate.
In 2014, the need to improve the public certificate system was formally raised at the government level. At the time, the system’s problems garnered widespread attention as cases emerged where overseas consumers struggled to make payments on South Korean online shopping sites due to authentication procedures based on public certificates and ActiveX. Since then, relevant laws and regulations have been continuously revised, and with the full revision of the “Electronic Signature Act” taking effect in 2020, the public certificate system was officially abolished.
However, public certificates have not completely disappeared. Existing public certificates have been transitioned under the name “Joint Certificates” and can still be used at various financial institutions and public agencies. The key difference is that the structure in which the government prioritized a specific authentication method has been eliminated. Currently, not only Joint Certificates but also financial certificates, PASS authentication, Kakao authentication, Naver authentication, Samsung Pass, biometric authentication, FIDO-based authentication, and Passkey are all utilized on an equal footing in a competitive environment.
Back in 1999, when public certificates were first introduced, the internet environment itself was vastly different from what it is today. At that time, web browsers had limited functionality, and Internet Explorer effectively monopolized the market. In this environment, it was difficult to implement secure encryption and digital signatures using only a web browser, so installing programs via ActiveX was the practical choice. The government also adopted Internet Explorer-based ActiveX to ensure rapid adoption and stable service provision.
Initially, this approach proved somewhat effective. Internet banking and e-commerce spread rapidly, and user trust in online financial services increased. However, as time passed, while internet technology advanced rapidly, the public certificate system—which maintained its existing structure—began to reveal various problems.
The first issues to surface with ActiveX-based digital certificates were security and user convenience. To use a digital certificate, users had to install multiple security programs, and they were repeatedly confronted with installation prompts every time they accessed a financial institution or online store. Most users became accustomed to clicking the “Install” button without fully verifying the program’s functionality or source, which led to a decline in vigilance regarding security warnings. Additionally, users repeatedly faced the hassle of copying or re-registering their certificates whenever they changed operating systems or started using a new computer.
At the time, since the files containing the digital certificates could be transferred to other storage devices, managing them securely was of utmost importance. Although the certificates themselves were password-protected, there was still a risk of financial incidents if passwords were leaked or the system was infected with malware. Of course, these risks were not unique to digital certificates, but the system—which required individuals to store and manage their certificates themselves—placed a significant burden of responsibility on users.
Compatibility issues were also consistently raised. Since ActiveX only functioned properly in Internet Explorer, users of other web browsers such as Chrome, Firefox, and Safari often had to install separate programs or configure additional settings. In particular, macOS and Linux users faced significant restrictions when accessing financial services, and after smartphones became widespread, there were continued complaints that the existing authentication methods were inconvenient in mobile environments as well. Compared to the global internet environment, which was evolving around web standards, South Korea’s authentication system was criticized for being overly dependent on specific operating systems and browsers.
Another issue raised was that, in the event of an electronic financial incident, liability was disproportionately placed on the user. In the past, there were numerous cases where financial institutions accepted only limited liability on the grounds that identity verification procedures had been completed, provided that transactions were conducted using a properly issued digital certificate and password. However, subsequent legislation and court precedents related to electronic finance have evolved to strengthen user protection, and financial institutions are now actively assuming obligations to operate Fraud Detection Systems (FDS) and manage security. Consequently, the practice of shifting all liability to the user simply because authentication took place has improved significantly compared to the past.
Technological advancements have also brought significant changes to authentication methods. While digital certificates were virtually the only option in the past, a variety of authentication methods are now in use, including joint digital certificates, financial certificates, PASS authentication, Kakao authentication, Naver authentication, biometric authentication, FIDO-based authentication, and Passkey. Each authentication method can be selected based on the intended purpose and required security level, and environments that mandate the use of a single specific technology have disappeared.
OTP (One-Time Password) remains one of the key means of identity verification in use today. OTP works by generating a new password after a set period of time or by generating a one-time password each time a button is pressed. Financial institutions verify the numbers entered by users using the same authentication information; since these are one-time passwords, this method is effective in preventing attacks that involve repeatedly using the same number. Currently, not only physical OTP devices but also mobile OTPs are widely used, and they have established themselves as key components of multi-factor authentication (MFA) alongside other authentication methods.
At the same time, financial companies do not judge the security of a transaction based solely on the user’s authentication method. Fraud Detection Systems (FDS), which utilize artificial intelligence and big data technologies, comprehensively analyze factors such as login location, access device, IP address, transaction amount, time of use, and typical spending patterns to detect unusual transactions in real time. If a transaction is deemed high-risk, the system requests additional authentication or temporarily blocks the transaction to prevent financial incidents. This approach is considered a far more effective protective measure than the security systems of the past, which relied solely on a single certificate.
The current electronic signature environment is evolving toward fostering competition among various authentication methods rather than mandating a specific authentication technology. While joint certificates are still widely used, users can freely choose between financial certificates, private certificates, and biometric authentication depending on the situation. It is no longer necessary to use a single authentication method; the general trend is to apply the most suitable means by comprehensively considering the characteristics of the service, user convenience, and the required level of security.
A prime example is international e-commerce services. Global e-commerce companies have long opted to protect users by combining multiple security technologies rather than mandating a specific certificate. Users can proceed with a transaction by entering their shipping address and payment information after logging in, while financial institutions and payment service providers analyze various risk factors in real time throughout the transaction process. If suspicious activity is detected—such as accessing the service from a different country than usual, suddenly purchasing multiple high-value items, or logging in from a new device—the system may require additional authentication or hold the payment. In other words, transaction security is ensured not by a single certificate, but by the combined operation of multiple security technologies.
South Korea has also developed its authentication system along these lines. Currently, in addition to joint digital certificates, financial certificates and various private certificates are widely used in public and financial services, and biometric authentication—such as fingerprint and facial recognition on smartphones—has become an everyday means of authentication. Recently, Passkey technology, based on the international FIDO standard, has also been rapidly gaining traction. Passkeys verify a user’s identity by utilizing encrypted information stored on the device rather than requiring the direct entry of a password, offering the advantage of reducing the risk of phishing attacks and password leaks.
While authentication technologies continue to advance as described, no single authentication method can be considered absolutely secure. Whether it is a joint certificate, a financial certificate, biometric authentication, or a passkey, each has its own advantages and limitations. Therefore, the key is not to mandate a specific authentication method but to minimize risk by utilizing a variety of security technologies in combination. Users must manage their authentication information securely, while financial institutions and service providers must continuously adopt the latest security technologies and establish systems to quickly detect suspicious transactions.
The public certificate system played a crucial role in the growth of online finance in South Korea. Given the technological capabilities of the time, it was, to some extent, an unavoidable choice, and it did indeed contribute significantly to the development of electronic finance and e-commerce. However, as internet technology and the user environment changed rapidly, a system that effectively mandated a single authentication technology became out of step with the times and was ultimately phased out through an amendment to the Electronic Signature Act.
Today, South Korea’s authentication environment is far more diverse and flexible than in the past. Users can choose the method that best suits them from among various authentication options, and financial and public institutions can also establish authentication systems tailored to the characteristics of their services. Going forward, the key is not to prioritize any specific technology but to maintain technology neutrality while actively embracing new authentication technologies. As authentication systems continue to evolve in a way that enhances both user convenience and security, South Korea will be able to build an even safer and more trustworthy digital financial environment.

 

About the author

Cam Tien

I love things that are gentle and cute. I love dogs, cats, and flowers because they make me happy. I also enjoy eating and traveling to discover new things. Besides that, I like to lie back, take in the scenery, and relax to enjoy life.