Facial authentication to verify a customer’s face when activating a mobile phone is a month away, but market unease persists. Distribution channels agree with the aim of preventing fraudulent activations and so-called ghost phones, but raise concerns that burdens tied to biometric data use are being pushed onto the frontline.

Pilot extended; alternative authentication methods under review

The Ministry of Science and ICT will introduce facial authentication for mobile phone activation from July. It had planned to formally adopt the system on March 23, but extended the pilot period by about 3 months as industry opposition continued.

The facial authentication plan has been controversial since it was announced. A pilot began in December last year, but distribution channels said the facial authentication success rate was low and the system was unstable. The budget carrier sector, which relies heavily on non-face-to-face sales, also raised concerns about customer inconvenience because users must complete the authentication process themselves.

Related agencies also raised objections. The National Human Rights Commission on March 13 recommended that the ministry carefully re-examine the policy to make facial authentication mandatory when activating a mobile phone. It cited the need for a clear legal basis and guarantees of choice for data subjects because biometric information is difficult to reverse if leaked.

The ministry ultimately postponed implementation. On March 20, a week after the commission’s recommendation, it decided to extend the pilot period through June 30. The ministry explained the decision was made after a comprehensive review of industry views from the three mobile carriers, the Korea MVNO Association and the Korea Mobile Communication Distribution Association, among others.

During the extended pilot, the ministry has focused on reviewing alternative methods. It is testing various options, including PIN verification within the mobile ID app provided by the Ministry of the Interior and Safety, verification via video calls, other biometric methods such as fingerprints and iris scans, and bank account verification, to prepare for final implementation.

But the Personal Information Protection Commission also recommended improvements, reviving speculation about another delay. The commission held a full meeting on the 27th of last month and approved an improvement recommendation to the ministry. It concluded that safeguards across collection, use, storage and destruction were insufficient given that biometric information requiring strict protection would be introduced as an identity verification method. It also raised as an issue that existing laws do not clearly provide a legal basis to use facial information as a means of identity verification in the mobile phone activation process.

Ministry reaffirms July rollout; distributors complain of burden

The ministry, however, says it will implement the system as scheduled. Deputy Prime Minister and Science and ICT Minister Kyung-hoon Bae (배경훈) drew a line under the delay speculation at a press briefing to mark the first anniversary of the government’s launch on the 29th of last month, saying, "We originally decided to run the pilot until June 30." Woo-hyuk Choi (최우혁), head of the Information Protection Network Office, also reaffirmed the July rollout plan, saying, "We are consulting well with businesses on various methods that are sufficiently substitutable."

The ministry sees the facial authentication system as effective in reducing fraudulent mobile phone activations. It says cases have continued in which phones are activated under another person’s name and then used for voice phishing, smishing or the distribution of ghost phones, making it necessary to raise the level of identity verification at the activation stage.

The system’s introduction is also attributed to criticism that existing ID checks alone have limits as non-face-to-face activations and identity theft through distribution networks continue. The ministry previously held a separate briefing to explain itself when security concerns emerged. It said the facial authentication process only checks whether an ID photo matches a real-time facial video and does not separately store or save biometric data used for authentication.

The problem is that the burden from implementation could be concentrated on the frontline. Retailers must guide consumers through additional authentication steps and respond even when errors occur or the process fails. If errors occur during authentication or consumers are reluctant to provide biometric information, retailers are likely to bear activation delays and complaints.

Kyu-ho Yeom (염규호), chairman of the Korea Mobile Communication Distribution Association, said, "I agree with strengthening identity verification procedures to reduce ghost phones," but added, "There are big concerns on the ground, such as authentication errors or clashes with consumers." Yeom also said, "Above all, the possibility of user inconvenience must be addressed."

Another telecom industry official said, "In the field, consumer complaints can grow just from activations taking longer," adding, "Even if alternative authentication methods are prepared, we will have to see whether they actually work smoothly." The official also said, "Users who are not familiar with the authentication process may take time to understand it," adding, "The government should closely check conditions on the ground before implementing the system."

Unclear accountability also needs to be resolved. If activation is delayed due to facial authentication failures or during alternative authentication, user complaints are likely to be directed at frontline distribution channels. It is also not clear who would be responsible among carriers, retailers and the entity operating the authentication system when problems occur in the process.

In the telecom industry, there are calls to further specify detailed operating standards before implementation. Another telecom industry official said, "There is a need to set detailed operating standards so the frontline burden does not grow excessively," adding, "If response procedures and the scope of responsibility are not clear when errors occur, confusion will be unavoidable in the early stages of implementation."