eIDAS 2.0 vs. Korea’s Digital Identity System: A Comparative Analysis

PDF

If the PDF does not render, open it here: /files/From_Tollbooth_to_Wallet.pdf

eIDAS 2.0: Europe’s Digital Identity Framework

The EU’s eIDAS 2.0 (Electronic Identification, Authentication and Trust Services 2.0) is a next-generation digital identity strategy centered on the European Digital Identity Wallet (EUDI Wallet). The wallet is intended for all EU citizens and residents, enabling individuals to securely store and manage their digital identity and to share only the necessary attributes when needed—a wallet-based identity credential[1][2]. The amended regulation entered into force in May 2024, and it requires each Member State to provide at least one qualified digital identity wallet by 2026[3]. This aims to build a harmonized identity system across the EU and enable cross-border recognition in electronic transactions and services.

Under this Trust Framework, standards for wallets and trust services (e-signatures, e-seals, etc.) are defined to ensure interoperability across Member States[4]. eIDAS 2.0 raises assurance levels (LoA) and explicitly codifies privacy principles such as data minimization[5]. It aligns with self-sovereign identity (SSI) ideas: individuals control their identity data and can use selective disclosure so that only the minimum necessary attributes are shared[5][3]. For example, for age verification, the wallet can be designed to disclose “over 18” rather than the full date of birth.

eIDAS 2.0 also reframes the role of the private sector. Compared to the original 2014 eIDAS, which focused largely on public services, the revised regulation expands usage to private-sector services (banking, healthcare, telecom, etc.)[5]. It also pushes large online platforms to accept public digital identity options, reducing reliance on private login ecosystems and aiming for a more neutral public identity baseline[6]. Private actors can participate, but under EU-wide standards and certification, limiting unaccountable dominance.

In short, eIDAS 2.0 strengthens user-centric privacy through a wallet model while building a public trust network that allows private participation under strict rules. It aims to make digital administration and commerce more convenient and secure[7], and it is often described as “returning data sovereignty to individuals”[2].

Korea’s Mobile ID System

Korea’s mobile ID is an official smartphone-based digital ID issued by the government, with legal equivalence to physical IDs such as the resident registration card and driver’s license[8]. Since 2020, the Ministry of the Interior and Safety has introduced mobile IDs in phases—starting with government employee IDs (2021), then expanding to the general public (mobile driver’s license, 2022), national merit IDs (2023), and overseas citizen identity documents (2024)[9]. A pilot for the mobile resident registration card began in December 2024, with nationwide rollout targeted from 2025[10][11]. The goal is to build a digital ID infrastructure that can replace plastic cards for both online and offline use.

Technically, the system stores credential data in the phone’s secure area (e.g., TEE/eSE) and verifies authenticity using decentralized identity (DID) approaches, often described as blockchain-based[12]. Because credentials are held on the user’s device rather than stored centrally, the government argues it reduces mass-leak risk and improves security[13]. Users can present only necessary fields; for example, for age checks, the app can hide address details and show only “adult verification”[12]. The system is described as leveraging PKI and blockchain for anti-tamper verification while minimizing personal data exposure[14][15].

Legally, Korea has updated relevant statutes (e.g., the Resident Registration Act) to recognize mobile IDs as equivalent to physical IDs[8]. It is accepted in many contexts—public services, financial institutions, airports, and more[16][17]. To increase adoption, the government partnered with major private apps: from July 2025, mobile IDs can be issued through five private platforms (e.g., Naver, Kakao, Toss, major bank apps)[18], selecting operators that pass government security evaluations[19][20]. This strategy integrates large private distribution channels into a government-led credential system.

Mobile ID is expected to improve both convenience and security: users can rely on a single device, reduce the need for over-sharing, and strengthen privacy through selective disclosure[13]. However, early rollout faces challenges: older devices, limited support for some foreign residents, and user anxiety about reliability/security[23][24][25]. The government has paired rollout with initiatives for digital inclusion and public communication[24][13].

Private Identity Verification (CI/DI) and Policy Controversies

Before mobile IDs, Korea’s online identity verification relied heavily on private identity verification services. The system was introduced to reduce uncontrolled collection of resident registration numbers, functioning as an alternative “resident-number replacement” mechanism. Designated private identity providers (often telecom operators) verify users via mobile verification or i-PIN, then issue identifiers to services[26][27]. Two core concepts are CI and DI:

  • CI (Connection Information): an 88-byte encrypted unique identifier, stable for life across providers[28]. Services often use CI as a substitute identifier after verification[26][27].
  • DI (Duplication Information): a site-specific 64-byte identifier used to prevent duplicate registrations[29].

In practice, many services use CI received via mobile verification (e.g., PASS) to identify users.

This CI/DI ecosystem has faced significant criticism. A central critique is that CI functions like an “online resident registration number”[31]: even if introduced to avoid collecting resident numbers, CI can effectively map 1:1 to individuals and become a persistent tracking identifier[31]. Because DI can be inconsistent across methods/providers, many services “conveniently” use CI as a shared key, reinforcing cross-service linkability[32]. Another concern is user agency: users cannot control, rotate, or reissue their CI/DI even after exposure[33]. DI, in particular, has been discussed as lacking explicit legal protections, raising concerns about third-party visibility into where an individual registered online[34]. Critics also point to closedness and low international portability: because the system is tightly coupled to Korea’s resident registration regime, it can be difficult for foreign residents, and it lacks cross-border interoperability[35]. Finally, DI inconsistency undermines the original “duplicate registration prevention” purpose and encourages even more CI use[36].

Korean authorities have acknowledged parts of these issues and have pursued reforms in parallel with the mobile ID rollout, including discussions about protections for DI-like identifiers[34]. As mobile IDs become widely adopted, demand for CI-based paid verification APIs may decline, forcing the private verification market to shrink or reposition.

Mobile ID vs. Private Verification: Tensions and Policy Direction

The emergence of a government-backed mobile ID creates tensions with the existing CI/DI market. Mobile ID is a digitization of legally recognized identity documents, offering stronger assurance and broader applicability than private verification mechanisms[8]. Mobile verification via PASS is a private, momentary DB check; by contrast, a mobile resident registration card is a government-issued ID usable for legal/administrative contexts and can expand into offline identity checks and KYC.

This shift threatens incumbents (telecom providers and platforms) that rely on verification fees and CI-based user management. If users can prove attributes with near-anonymous selective disclosure, platforms may lose a stable cross-service linking key, reducing data collection incentives[5][2]. Early concerns framed this as “government taking the market,” but policy has moved toward a public–private partnership model: major platforms (e.g., Naver, Kakao) are positioned as wallet operators within government rules[18]. Naver, for example, reportedly transitioned into a qualified operator under government evaluation[19]. The intent is to reduce conflict and enable an “orderly landing” for the industry.

Global Trend: More Public Governance for Digital Identity

Across countries, public involvement in digital identity is increasing. In Europe, eIDAS 2.0 aims to provide a government-backed digital ID to the entire population and reduce dependence on private Big Tech login ecosystems[1][3]. Korea’s mobile ID similarly represents a move toward a government-led identity infrastructure, shifting responsibility away from the private verification market.

Both cases emphasize user-centric controls and privacy protections through selective disclosure and modern identity technologies (DID, blockchain, and potentially ZKP)[5][12][37][2].

By contrast, some countries such as the U.S. have a more fragmented approach—e.g., state-level mobile driver’s licenses and greater reliance on private identity providers—due to the lack of a unified federal digital ID framework[38][39]. Nevertheless, global trends increasingly converge on public governance of trust frameworks; countries such as Australia and the UK have pursued digital identity trust frameworks to regulate assurance and interoperability[40][41].

EU vs Korea: Comparison Table

DimensionEU: eIDAS 2.0 (EUDI Wallet)Korea: Mobile IDKorea: Private Verification (CI/DI)
Governance / systemEU regulation-backed public-led framework. Each Member State must provide at least one qualified wallet (private developers can participate) [3]. Participation by IdPs and trust service providers requires strict qualification.Government-led smartphone ID. Government issues credentials; selected private platforms act as wallet operators in a constrained role[42].Private providers (telecoms, credit bureaus) operate verification; government designates/supervises. Market is concentrated (e.g., telecom PASS).
Credential / proof mechanismWallet stores credentials and attributes; mobile app with strong auth. Uses verifiable credentials and verification under common standards; selective disclosure and (potentially) ZKP for attribute proofs[37].Credential stored on device secure element; presentation via QR/barcode or BLE; authenticity verified via DID/blockchain; device security (biometrics/PIN) gates use[14][15].Central DB match via mobile/i-PIN. After verification, provider issues CI/DI identifiers used by services for user identification[26].
Legal statusDirect effect via EU regulation; cross-border recognition under EU rules[3]. Large platforms expected to accept the scheme.National laws updated to grant equivalence to physical IDs[8].Operates under telecom/online ID verification regime; CI treated as personal data; DI protection debated[34]. Not a government ID.
Privacy designStrong “privacy by design”: minimization, user consent, selective disclosure, and strict limits on misuse[5].Device-held credential + selective field disclosure aims to reduce over-sharing and mass breach risk[13][12].High privacy concerns: CI can become a cross-service tracking identifier; user cannot rotate it; DI visibility concerns[31][34][33].
Role of private sectorPrivate entities can build wallet apps/provide trust services under certification; large services must integrate[6].Private apps act as distribution/wallet operators; government remains issuer and verifier.Private market-led verification; companies monetize verification fees and identifiers.

Overall, both the EU’s eIDAS 2.0 and Korea’s mobile ID initiative pursue a new digital identity paradigm. Europe aims for an interoperable trust framework that works across borders[3], while Korea aims to enable everyday public and private services via smartphone-based IDs and to modernize legacy private verification practices[22]. Both are public-led but seek workable private-sector roles, and both will likely evolve toward stronger user privacy and better usability as digital identity becomes foundational infrastructure[2][49].