Home
About
Company Overview Our Team Careers
Core Pillars
Cybersecurity Trust & Resilience AI Trust & Governance AI Security & Assurance Code Trust & Secure Digital Delivery
Frameworks
NS-CMMF NS-AIGF NS-AISCA NS-CTAF
Platforms
Cybersecurity Maturity Platform AI Security Assessment Platform
Solutions
Managed Detection & Response Payment Security & DPI Digital Identity Financial Inclusion Post-Quantum Cryptography
Paxley Insights Contact
Request a briefing →
Domain-Specific Solution · S3

Verifiable Credentials & Digital Identity Security

Security advisory and assurance for national digital identity programmes, verifiable credential infrastructure and open-source DPI identity stacks — with practitioner expertise in MOSIP, OpenG2P, GovStack, W3C VC, DID standards and eIDAS 2.0 across Africa, Asia and the Pacific.

MOSIPOpenG2P · GovStack
W3C VCDID Standards
eIDAS2.0 Advisory
BiometricSecurity Coverage
OSIAID4Africa Aligned
Platforms MOSIP · OpenG2P · GovStack · Inji · OpenCRVS · eSignet Standards W3C VC · DID · OpenID Connect · eIDAS 2.0 · ISO 18013-5 Coverage Biometric Security · PKI · Credential Lifecycle · Identity Proofing Regions Africa · Asia · Pacific · Government Digital Identity Programmes Aligned DPGA Privacy Expert · World Bank ID4D · UNDP Digital Identity Testing MOSIP Security Assessment · VC Trust Chain Audit · Biometric Pen Test Delivery Open-Source DPI Contributor · Practitioner-Led Deployments Platforms MOSIP · OpenG2P · GovStack · Inji · OpenCRVS · eSignet Standards W3C VC · DID · OpenID Connect · eIDAS 2.0 · ISO 18013-5 Coverage Biometric Security · PKI · Credential Lifecycle · Identity Proofing Regions Africa · Asia · Pacific · Government Digital Identity Programmes Aligned DPGA Privacy Expert · World Bank ID4D · UNDP Digital Identity Testing MOSIP Security Assessment · VC Trust Chain Audit · Biometric Pen Test Delivery Open-Source DPI Contributor · Practitioner-Led Deployments
The highest-stakes DPI programme any government runs

National digital identity programmes consolidate sensitive personal data — biometrics, demographic records, linkages to benefit payments, healthcare and financial accounts — into a single foundational infrastructure. A breach is not just a data incident: it can undermine public trust in the entire programme, expose millions of citizens to identity fraud, and create regulatory and diplomatic consequences that take years to resolve.

Nucleus Systems brings specialist expertise in the security of the open-source DPI identity platforms being deployed at scale across Africa, Asia and the Pacific — MOSIP (Modular Open Source Identity Platform), OpenG2P (social protection delivery), and the GovStack identity building block. Our practitioners have worked inside these systems, understand their architecture and trust boundaries, and can assess and advise on security in ways that general security consultants cannot.

We also cover the verifiable credential and decentralised identity layer — W3C Verifiable Credentials, DID standards, selective disclosure schemes, and the eIDAS 2.0 European Digital Identity Wallet framework — advising governments, issuers and relying parties on secure implementation of the emerging digital identity trust infrastructure.

Open-Source DPI Platforms
MOSIP · OpenG2P · GovStack — inside expertise
We have direct, hands-on experience with the open-source identity platforms being deployed by governments across the developing world. We know their modular architecture, their biometric subsystem security, their registration and authentication APIs, and the specific attack vectors they attract — not from documentation review, but from working in and around these deployments.
Verifiable Credentials
W3C VC · DID · Selective Disclosure · eIDAS 2.0
We advise issuers, verifiers and wallet providers on the secure implementation of verifiable credential ecosystems — covering W3C VC data model security, DID method selection and key management, SD-JWT and BBS+ selective disclosure schemes, and eIDAS 2.0 EUDIW security requirements for the European market.
Privacy by Design
Identity security that doesn't create surveillance infrastructure
Identity systems designed without privacy controls become surveillance infrastructure. We advise on privacy-preserving identity architecture — minimal disclosure, biometric data protection, audit trail design that supports accountability without enabling mass surveillance, and alignment to GDPR, POPIA and regional data protection frameworks.

Services

From national ID programme security architecture through to verifiable credential system assessment and eIDAS 2.0 compliance advisory.

Digital Identity Security Architecture Review

End-to-end security architecture assessment of digital identity systems — covering registration, biometric capture, deduplication, authentication, credential issuance, and relying party integration. Threat model built to the specific programme context and deployment environment.

MOSIP Platform Security Assessment

Purpose-built security assessment for MOSIP deployments — covering the registration client, kernel services, ID repository, authentication server, resident portal, and partner management. Based on direct platform expertise, covering the MOSIP-specific threat model and known vulnerability classes.

OpenG2P Security Review

Security assessment of OpenG2P deployments for social protection and benefit delivery programmes — covering beneficiary registry security, payment disbursement controls, ID-to-payment linkage integrity, and the specific fraud and exclusion risks in social protection digital delivery.

Verifiable Credential System Assessment

Security assessment of verifiable credential issuance, presentation and verification infrastructure — covering W3C VC data model implementation, DID resolution and key management, credential status mechanisms, selective disclosure implementation, and holder binding security.

Decentralised Identity Infrastructure Review

Security review of DID method implementations, VDR (verifiable data registry) security, key rotation and recovery procedures, and the governance frameworks that underpin decentralised identity trust. Covers enterprise, government and cross-border DID deployments.

Biometric System Security Assessment

Security assessment of biometric capture, storage, matching and deduplication systems — covering biometric data protection, liveness detection and presentation attack resistance, biometric template security, and compliance with ISO/IEC 30107 and applicable data protection regulations.

National ID Programme Security Advisory

End-to-end security advisory for national digital ID programme design and implementation — from initial threat modelling and architecture review through to procurement security requirements, vendor assessment, pilot security, and operational security design for national-scale rollout.

eIDAS 2.0 & Privacy-Preserving Design

Advisory for eIDAS 2.0 European Digital Identity Wallet compliance — covering EUDIW architecture requirements, PID (Person Identification Data) attestation security, and selective disclosure. Also privacy-preserving identity system design for programmes that must balance verifiability with minimal disclosure and anti-surveillance principles.

Standards & Framework Coverage

Digital identity security spans technical standards, data protection law and international development frameworks — we advise across all three layers.

W3C & DIF Standards
 W3C Verifiable Credentials Data Model 2.0 · W3C DID Core 1.0 · DIF Presentation Exchange · DIF Credential Manifest · SD-JWT (IETF) · BBS+ selective disclosure · OpenID4VC (OID4VCI, OID4VP) · ISO/IEC 18013-5 (mDL). Full coverage of the current verifiable credential and digital wallet standards landscape.
DPI & Regional Frameworks
 MOSIP security framework · GovStack Identity Building Block security requirements · OSIA (Open Standard Identity APIs) · ID4Africa digital identity principles · G20 Digital Identity Principles · World Bank ID4D guidelines · GSMA Mobile Connect security framework.
eIDAS 2.0 & European Framework
 eIDAS 2.0 Regulation (EU 2024/1183) EUDIW architecture requirements · ARF (Architecture and Reference Framework) security controls · PID attestation and QEAA security requirements · NIS2 obligations for identity infrastructure operators · GDPR Art. 25 data protection by design for identity systems.
Biometric & Data Protection
 ISO/IEC 30107 Presentation Attack Detection · ISO/IEC 19794 biometric data interchange formats · ISO/IEC 24745 biometric information protection · GDPR Art. 9 (biometric data as special category) · POPIA (South Africa) · applicable national data protection laws in deployment jurisdictions.
Parent Pillar
Cybersecurity Trust & Resilience
The full Pillar 1 service model, of which digital identity security is a specialist domain application.
Explore Pillar 1 →
Related Solution
Payment Security & DPI
Payment infrastructure is increasingly identity-dependent — digital identity and payment security converge in DPI programmes.
Explore Payment Security →
Related Solution
Financial Inclusion & Emerging Markets
KYC, digital onboarding and identity proofing are foundational to financial inclusion — the two practice areas are closely linked.
Explore Financial Inclusion →

Secure national-scale identity infrastructure that 100 million people will depend on

Speak with a Nucleus Systems digital identity specialist about your programme — whether you're designing a national ID system, deploying MOSIP, building a verifiable credential ecosystem, or preparing for eIDAS 2.0.

Speak with a specialist Payment Security →