Authentication

What Is NFC Authentication?

NFC authenticationauthenticationIdentity verification of NFC tags/readers via passwords or cryptographyView full → is the process of verifying the identity of an NFC tag or reader to establish trust before exchanging sensitive data. Authentication ranges from simple password protection using a 32-bit code to sophisticated cryptographic protocols employing AES-128 mutual authentication. The choice of authentication mechanism directly determines an NFC deployment's resistance to cloning, eavesdropping, and unauthorized access.

Authentication Levels

NFC authentication can be categorized into four progressive security levels:

Password Authentication

The simplest authentication method uses a 32-bit (4-byte) password transmitted to the tag's NFC chip via the PWD_AUTH command. If the password matches, the tag grants access to the protected memory area and returns a 16-bit password acknowledgment (PACK). If it fails, the tag remains locked.

Limitations. The 32-bit password is transmitted in plaintext over the RF interface, meaning anyone with an NFC sniffer within the read range can capture it. Password protectionPassword protection32-bit access control for memory areas (plaintext transmission)View full → is appropriate for preventing casual tampering but inadequate for security-critical applications. The 32-bit key space (4.29 billion combinations) can be brute-forced with dedicated hardware.

Cryptographic Authentication

For higher security, modern NFC chips implement standard cryptographic algorithms:

DES / 3DES. Used in MIFARE Ultralight C and DESFire EV1. Three-key Triple DES provides 168-bit effective key length. While more secure than password protection, 3DES is considered legacy and is being phased out in favor of AES.

AES-128. Used in NTAG 424 DNA, DESFire EV2/EV3, and MIFARE Plus. AES provides strong symmetric encryption with 128-bit keys. The authentication handshake uses a challenge-response protocol where both parties prove knowledge of the shared key without transmitting it.

Mutual Authentication

In mutual authentication, both the reader and tag verify each other's identity. The reader sends a challenge to the tag, the tag responds with an encrypted answer and its own challenge, and the reader responds in turn. This prevents both unauthorized readers from accessing protected tags and counterfeit tags from impersonating genuine ones.

Dynamic Authentication (SUN/SDM)

The most advanced NFC authentication mechanism is Secure Unique NFC (SUN) combined with Secure Dynamic Messaging (SDM), available in NTAG DNA chips. Every tap generates a unique, cryptographically signed URL that a backend server verifies. This eliminates the possibility of replay attacks and provides irrefutable proof of tag authenticity.

Choosing the Right Authentication

The appropriate authentication level depends on the threat model:

• Marketing tags, information sharing: No authentication or basic password to prevent rewriting
• Asset tracking, loyalty programs: Password protection with access control bits
• Brand protection, anti-counterfeiting: AES mutual authenticationmutual authenticationTwo-way identity verification between reader and tagView full → or SUN/SDM
• Payment, access control: Full EMV or DESFire EV3 with AES mutual authentication