Three main components underly modern credential technology – chips, formats, and encryption. Each are applicable to both cards and mobile credentials and understanding them is key to making informed decisions for your campus card program.

In this series of articles, we will dive into each component, but first a brief preview.

Chips are the core of the credential equation. Like the chips that power almost everything we use in our modern lives, they both store and process the data required for identity transactions.

A format – also known as a card format or data format – is the standardized pattern used to store data on a chip. The format holds information such as ID numbers that allow access control and other systems to make decisions about the cardholder. Because data formats are just patterns or structures, they can be used on different chips. This enables different chip types to be used in the same system.

Encryption is the primary method used to secure data on the chip and in transit between the chip, reader, and system. Encryption levels in credentials vary greatly, from none-at-all to best-in-class, and everywhere in between.

In this first of these three articles, we’ll dive into chips.

125 kHzProx vs. 13.56 MHz contactless chips

Most chips on ID cards are either proximity chips that operate at the 125 kHz frequency or contactless smart chips that operate at the higher 13.56 MHz frequency.

The chips used in proximity or prox cards are older, non-secure technology. They do not support encryption and are really a storage mechanism to hold data such as an ID number. Because they lack security, they are extremely easy to clone and thus have fallen out of favor for secure applications like campus credentials.

You can go to a kiosk at Bed Bath & Beyond, insert your prox card or key fob, and they'll give you a duplicate of it.

According to Todd Brooks, Vice President of Products and Technology at ColorID, prox card cloning is easy and inexpensive due to the lack of encryption. There are vending machines and online devices that facilitate cloning.

“You can go to a kiosk at Bed Bath & Beyond, insert your prox card or key fob, and they'll give you a duplicate of it,” says Brooks. “Or you can buy a $25 device on Amazon that can clone cards very easily.”

For these reasons, higher education and most other security-conscious organizations have moved on to high-frequency 13.56 MHz contactless or Near Field Communication (NFC) technology.

But just because these chips operate at a higher frequency doesn't make them inherently more secure. It's what you do with it.

“A lot of people think, oh, it's contactless or NFC, so it's secure,” says David Stallsmith, Director of Product Management for ColorID. “But NFC only defines the communication frequency and a couple other very simple parameters. If it's not encrypted, it's still not much better than prox.”

In practice, however, most implementations of contactless chips do incorporate encryption. Of course, some do it better than others.

Popular ‘flavors’ of contactless chips

Common 13.56 MHz chips include MIFARE Classic and MIFARE DESFire from NXP, iCLASS from HID, and FeliCa from Sony.

Encryption for MIFARE Classic was compromised years ago, so that chip is not used often in secure applications, though it is still common in low-security situations.

For campus cards in the U.S., FeliCa and the initial versions of iCLASS were popular options, but they are not used much for new implementations. Many institutions that deployed them in the past, however, continue to use them.

There have been four versions of DESFire since its introduction in 2002. Today’s gold standard for security is EV3.

iCLASS Seos – the latest version of HID’s iCLASS – is extremely secure, and its usage is rising rapidly, says Stallsmith. While in this case Seos is the name of a specific chip, it can also be a secure identity object that can be used on other chips.

In recent years, DESFire has been the go-to for campuses and other markets seeking a secure credential.

There have been four versions of DESFire since its introduction in 2002. DESFire, DESFire EV1, DESFire EV2, and DESFire EV3.

According to Brooks, today’s gold standard for security is EV3.

The original DESFire product was phased out by NXP years ago, and EV2 was phased out more recently as NXP released the successor EV3 chip.

Because of its widespread use, EV1 is still available, though its phase out is also starting.

“EV1 still uses high-end AES encryption,” says Brooks. “It hasn't been broken, but we're just seeing NXP starting to phase it out.”

That leaves EV3 as the clear leader for new implementations.

“Many of our campus clients opt for EV3, and that is what we’ve been recommending for some time now,” says Stallsmith. “Because it was designed for backwards compatibility, it can even be blended into existing implementations that utilize prior DESFire versions.” 

Chip size matters

The other key component with chips is memory size. The larger the non-volatile memory, the more data and applications the chip can hold. DESFire EV3 chips are available in 2k, 4k, 8k, an 16k sizes.

iCLASS Seos chips are available in 8K and 16K.

Often you will hear the terms like 26-bit and 32-bit discussed when talking about contactless cards, but don’t confuse this with a chip’s memory size. These terms refer to data formats, the topic for the next article in this series.

So how much do different types of chip cards cost?

Obviously, older less secure technology is going to be less expensive, but there are also large variances in the quality of a card’s manufacture.

It follows then that low-quality prox and MIFARE Classic cards are typically the least expensive, often just a couple bucks. But high-quality cards with the same chip can be significantly more expensive.

With any card, however, when it comes to longevity, durability, and good-looking printing, you get what you pay for.

Because of their low cost, many organizations still use non-secure prox and MIFARE Classic cards. Some are not aware of the security vulnerabilities and others choose to take the risk. If the use cases for the card are not high risk in nature, it can be a sensible decision.

With any card, however, when it comes to longevity, durability, and good-looking printing, Brooks says you get what you pay for.

“You can find inexpensive high-frequency cards, but you can also get cards – depending on what you've done with them – that are $10,” he adds. “So, there's a huge range in what you can get from high frequency.”

Key takeaways on contactless chips

Here’s what campus card and security personnel should remember about chips for ID cards.

• Proximity or prox cards are not secure and can be easily cloned.
• Just because a card has a high-frequency, 13.56 MHz contactless chip doesn’t automatically make it secure. It needs to be setup securely and utilize strong encryption.
• The gold standard for security in contactless chips is NXP’s DESFire EV3 and HID’s iCLASS Seos.
• DESFire EV3 is backward-compatible with prior versions of DESFire chips so they can be blended in existing implementations.
• In addition to card form factors, both DESFire and Seos can enable NFC credentials for iPhone and Android phones.