NIN Should Verify Identity, not Disclose It, By Abiola Ilupeju

As someone who has spent over a decade designing secure systems, evaluating security controls, and improving software engineering processes, I have followed the recent discussions surrounding Nigeria’s national identity ecosystem with great interest.

Much of the public conversation has focused on investigative reports that revealed unauthorised access to citizen data through verification channels, the activities of verification agents and downstream sub-agents, and subsequent enforcement actions against individuals involved in the illicit trade of identity records. These developments deserve serious attention. However, they are symptoms of a deeper challenge.

Rather than viewing the issue solely as a data leak problem, I examined it from a security architecture, privacy engineering, and digital identity governance perspective.

My conclusion is that the controversy exposed a fundamental weakness in how identity verification has historically been implemented within parts of the ecosystem. The greatest risk is not merely the existence of unauthorised sellers of citizen data. It is that the architecture created incentives for data harvesting by allowing a permanent national identifier to function in ways that resemble an authentication credential.

This is not simply a cybersecurity problem. It is a governance, accountability, and privacy architecture problem. At the heart of the debate is a more fundamental question: Why does possession of a NIN enable the retrieval of extensive personal information?

NIN WAS NEVER INTENDED TO BE A PASSWORD

The mandate of the National Identity Management Commission (NIMC), established under the National Identity Management Commission Act, 2007, includes creating and maintaining a centralised national identity database as an authoritative source of identity information for citizens and legal residents.

To understand the issue, we must distinguish between identification and authentication. Identification answers the question: Who are you? Authentication answers the question: How do you prove you are who you claim to be? In most software systems, an identifier, such as a username, identifies a user while a password authenticates that user, before access is granted to protected resources.

A NIN was created as an identifier, not as a credential. The challenge arises when possession of that identifier becomes sufficient to retrieve sensitive personal information. At that point, the identifier begins to function like an authentication factor.

This is problematic because identifiers inevitably become widely distributed; for instance, banks collect NINs during account opening. Telecommunications companies collect them during SIM registration. Employers collect them during onboarding. Schools, hospitals, insurance companies, pension administrators, fintechs, and government agencies also collect them for legitimate operational purposes.

At this scale, it is unrealistic to assume that a NIN will remain secret forever. Unlike passwords, bank cards, or access tokens, a NIN cannot simply be replaced after compromise. Because it is designed to remain associated with an individual for life and is used across multiple sectors, the consequences of exposure may persist for years or even decades.

This leads to a simple architectural principle: the security of the NIN ecosystem should not depend on the secrecy of the NIN itself. A permanent and widely distributed identifier should never function as a key that unlocks a citizen’s complete identity profile.

THE ECONOMIC INCENTIVE PROBLEM

The present model appears to follow a disclosure-based model, which creates economic incentives for data harvesting. When you supply a NIN to the web service and receive the full profile of the citizen, every successful lookup becomes a data acquisition event. The more lookups performed, the larger the dataset becomes. Organisations thus accumulate records which are shared, resold, and aggregated, eventually creating the conditions for data brokerage. This does not require malicious actors. It is a predictable outcome of an architecture that makes identity data valuable.

Now consider a verification-based model where you supply a NIN and a claim, and the web service returns only True or False — for example: Does this NIN belong to the individual with this phone number? Does this name match this NIN? Is the person with this NIN older than 18 years old? Does this photograph match the enrolled photograph? The response is limited to a verification result, and the underlying identity record never leaves the authoritative source. In this model, there is little or no commercial value in accumulating millions of True or False responses because the data required to build a shadow identity database is never disclosed.

Privacy-preserving identity systems are designed around verification of claims rather than disclosure of records. Concepts such as privacy by design (Cavoukian, 2011) and selective disclosure (De Salve et al., 2025) seek to ensure that organisations receive only the information necessary for a transaction rather than a citizen’s entire identity profile.

IDENTITY REPOSITORY OR IDENTITY VERIFICATION SERVICE?

Should NIMC operate primarily as an identity repository or as an identity verification service? Banks, telecom operators, employers, universities, and government agencies already maintain extensive records about the people they serve. They collect this information because they need it for their own operations. What they need from NIMC is not additional data, but assurance that the information provided by an individual is accurate.

A bank does not need NIMC to provide a customer’s address if the bank already collected that information directly from the customer. The bank simply needs confirmation that the customer is who they claim to be. This suggests that the future of the ecosystem should be verification rather than disclosure.

LESSONS FROM THE PAYMENT INDUSTRY

The payment industry provides a useful comparison. The success of the payment ecosystem is not the result of assuming good behaviour. It is the result of designing controls that anticipate misuse. Through frameworks such as PCI DSS, the industry relies on strict onboarding requirements, independent assessments, continuous audits, data minimisation, tokenisation, strong penalties for non-compliance, and clear liability when data is exposed.

Nigeria’s identity ecosystem can adopt similar principles. The objective should not be limited to protecting identity data after disclosure. It should be to reduce unnecessary disclosure altogether.

SIGNS OF PROGRESS

It is important to acknowledge that NIMC has not remained static in the face of these challenges. Recent initiatives such as NIN tokenisation, Virtual NIN (vNIN), NINAuth, consent-based authentication mechanisms, and broader data protection measures indicate a deliberate shift toward privacy-preserving identity verification and move the ecosystem closer to a model where verification can occur without unrestricted disclosure of identity records.

THE GOVERNANCE GAP

While NIMC has introduced privacy-enhancing initiatives, publicly available integration documentation, legacy implementations, downstream delegation models, and inconsistent verification approaches suggest that the broader ecosystem has not fully completed the transition from disclosure-based verification to privacy-preserving verification.

During my review of some publicly available integration documentation, I encountered examples that described verification workflows capable of returning significantly more identity information than many business processes require.

Whether these examples reflect current implementations, legacy implementations, or outdated documentation is less important than the broader lesson they reveal: governance must extend beyond the central identity authority to include integrators, verification providers, agents, and downstream consumers of identity services. The challenge is therefore increasingly a governance, certification, auditing, and ecosystem-alignment challenge.

RECOMMENDATIONS

The future of identity verification in Nigeria should adopt the following principles. Verification services should confirm claims rather than disclose complete identity profiles, moving the ecosystem from identity disclosure to attribute-based verification. Every participant in the verification chain should be identifiable, auditable, and accountable, with unrestricted downstream delegation prohibited. Citizens should be able to see who accessed their identity information, when it was accessed, and for what purpose.

Organisations consuming identity services should undergo periodic security and privacy assessments through independent certification and auditing. Nigeria should also consider a dedicated framework establishing technical, privacy, governance, and accountability requirements across the ecosystem.

Finally, verification providers and ecosystem participants should periodically review APIs, documentation, and operational practices to ensure alignment with current privacy-preserving standards.

Abiola Ilupeju is an information security and software engineering professional with over 16 years’ experience. She holds an MSc in Information Security and Privacy from Cardiff University and is a Principal Consultant at Moat Consulting Limited.