The Corporate Affairs Commission has rolled out a major security upgrade to its Integrated Company Registration Portal, requiring all users to reset their passwords and activate Two-Factor Authentication before gaining access a mandatory overhaul that comes just days after the commission confirmed a cybersecurity incident involving unauthorised access to limited aspects of its information systems.
![](https://thenigerialawyer.com/wp-content/uploads/2024/11/TheNigerialawyer-WhatsApp-Channel1.jpg")
The commission announced the new requirements on its official X handle on Monday, describing the update as part of efforts to strengthen data protection and reduce unauthorised access following recent system maintenance a characterisation that notably avoids direct reference to the cybersecurity breach disclosed on April 15, but whose timing leaves no doubt about the connection.
Under the new security regime, the simple act of logging into the CAC portal to register a company, file annual returns, or access corporate records now requires a two-step verification process involving a new password and a time-based authentication code generated by the Google Authenticator mobile application replacing the simpler email-based verification methods previously used and bringing the portal’s security architecture closer to international standards for systems handling sensitive business data.
The CAC has outlined a detailed step-by-step process that all portal users must complete before regaining access to their accounts.
First, users must visit the official iCRP portal at https://icrp.cac.gov.ng/ and initiate a password reset by clicking the “Forgot Password” or “Reset Password” link on the login page. They must enter the email address or username linked to their account and submit the request. A reset link will be sent to the registered email address, through which users can create a new, stronger password.
The commission has emphasised that this initial password reset is required only once but it is mandatory. Users cannot access their accounts using their old passwords.
Second, after resetting their password, users must log back into the portal using their new credentials. The system will then prompt them to enable Two-Factor Authentication.
To complete the 2FA setup, users must download the Google Authenticator app available on both the Apple App Store and Google Play Store if they do not already have it installed. The portal will display a QR code, which users must scan using the Google Authenticator app to add their iCRP account.
Once scanned, the app will begin generating six-digit authentication codes that change every 30 seconds. Users must enter the current six-digit code from the app into the portal to complete the setup.
For all future logins, users will need to enter their email or username, their new password, and the current six-digit code from the Google Authenticator app — a three-layer authentication process that significantly increases the difficulty of unauthorised access.
While the CAC described the update as part of routine efforts to strengthen data protection, the timing is unmistakable.
On April 15, 2026 just six days before Monday’s announcement the commission issued a public notice confirming that it was “currently reviewing a cybersecurity incident involving unauthorised access to limited aspects of its information systems.”
That notice advised stakeholders to “monitor their records on the CAC portal, update login credentials, and remain cautious of unsolicited communications” the very actions that Monday’s mandatory security upgrade now enforces.
The progression from advisory to mandatory requirement suggests the commission’s assessment of the breach has determined that voluntary credential updates were insufficient and that a forced reset of all passwords, combined with the introduction of a significantly more robust authentication mechanism, was necessary to secure the portal against further unauthorised access.
The switch from email-based One-Time Password verification to app-based Two-Factor Authentication is particularly telling. Email-based OTP systems are vulnerable to email account compromises if the cybersecurity incident involved access to users’ email addresses stored in the CAC’s systems, an attacker could potentially intercept email-based verification codes. App-based 2FA, which generates codes locally on the user’s device without transmitting them over email, eliminates this vulnerability.
The mandatory security upgrade affects every user of the CAC’s Integrated Company Registration Portal a population that includes company secretaries, lawyers, accountants, business owners, corporate registrars, and other professionals who interact with Nigeria’s corporate registry.
Given the CAC’s role as the sole authority for company registration, business name registration, incorporated trustees, and other entity types in Nigeria, the portal serves millions of registered entities and their authorised representatives. The mandatory password reset and 2FA activation therefore represents one of the largest forced security upgrades of a government digital platform in Nigeria’s history.
The process will inevitably cause temporary disruption as users navigate the new requirements particularly for less tech-savvy users who may be unfamiliar with authentication apps. The CAC has attempted to mitigate this by providing demonstration videos on its portal, official website, and social media platforms.
The shift from email-based verification to app-based Two-Factor Authentication represents a significant improvement in the portal’s security posture.
Email-based OTP systems, while better than password-only access, have well-documented vulnerabilities. If an attacker gains access to a user’s email account through phishing, credential stuffing, or data breaches they can intercept the OTP and bypass the second authentication factor.
Time-based authentication codes generated by apps like Google Authenticator operate differently. The codes are generated locally on the user’s device using a shared secret key established during setup (the QR code scanning process). The codes change every 30 seconds and are never transmitted over email or any other network meaning an attacker would need physical access to the user’s device or the backup codes to bypass the authentication.
This is the same authentication standard used by major technology companies, financial institutions, and government agencies worldwide and its adoption by the CAC brings the portal’s security to a level commensurate with the sensitivity of the data it holds.
The CAC has issued several important tips for users completing the security upgrade.
Users should create strong passwords using a mix of uppercase and lowercase letters, numbers, and symbols, and should never share their passwords with anyone — including CAC staff, who would never request a user’s password.
Users should ensure the email address linked to their CAC account is active and accessible, and should check their spam or junk folder if the password reset email does not appear in their inbox.
Critically, users should save their Google Authenticator backup codes securely in case they lose access to their phone. Without these backup codes, losing or changing a phone could result in being locked out of the CAC portal a situation that could disrupt business operations requiring portal access.
Users who encounter difficulties can contact the CAC Call Centre at 0708 062 9000 or email helpdesk@cac.gov.ng for assistance.
The CAC’s security upgrade is the latest in a series of responses to the cybersecurity incident disclosed on April 15. The commission stated at the time that it had activated response protocols and was working with the National Information Technology Development Agency, relevant government agencies, and partners to assess the scope and impact of the breach.
The mandatory password reset and 2FA requirement represent the most visible public-facing action taken in response to the incident a concrete step that every user of the portal will experience directly.
However, several questions raised by the original breach disclosure remain unanswered. The commission has not publicly disclosed what specific data was accessed, how many records were potentially compromised, how the breach occurred, or whether any fraudulent changes were made to company records as a result.
The security upgrade addresses the authentication vulnerability making it harder for unauthorised users to access the portal going forward but does not address the question of what happened to any data that may have been accessed during the breach itself.
For the millions of businesses that rely on the CAC portal for their corporate compliance obligations, Monday’s security upgrade is both a necessary inconvenience and a reminder that the digital infrastructure underpinning Nigeria’s corporate registry requires the kind of robust protection that should have been in place before, not after, a breach occurred.
Interested buyers are encouraged to place their orders and enquiries via:
0704 444 4777, 0704 444 4999, 0818 199 9888
Website: www.alexandernigeria.com
The book, titled The Law of Torts in Nigeria: A Functional Approach, authored by Professor Hagler Sunny Okorie Ph.D and Ikeocha, Nathaniel Ngozi Esq, offers law students, practitioners, and academics a comprehensive guide to understanding and applying tort law in Nigerian courts. Interested buyers can place orders via the following contact numbers: 08028636615, 08037667945, 08032253813, or +234 902 196 2209.
_______________________________________________________________________
ARTIFICIAL INTELLIGENCE FOR LAWYERS: A COMPREHENSIVE GUIDE
Reimagine your practice with the power of AI “...this is the only Nigerian book I know of on the topic.” — Ohio Books Ltd
Authored by Ben Ijeoma Adigwe, Esq., ACIArb (UK), LL.M, Dip. in Artificial Intelligence, Director, Delta State Ministry of Justice, Asaba, Nigeria.
Bonus:
Get a FREE eBook titled “How to Use the AI in Legalpedia and Law Pavilion” with every purchase.
How to Order: 📞 Call, Text, or WhatsApp: 08034917063 | 07055285878 📧 Email: benadigwe1@gmail.com 🌐 Website: www.benadigwe.com
Ebook Version: Access directly online at: https://selar.com/prv626
________________________________________________________________________ [A MUST HAVE] Evidence Act Demystified With Recent And Contemporary Cases And Materials
