NFC Tag Authentication Explained

NFC tag authentication

NFC tags have a wide and growing number of uses. However, to an extent, NFC has always been a ‘possible’ technology rather than an ‘essential’ technology. For example, if you are an advertising agency and are looking to create a link between your physical packaging and your website – you might consider NFC, but you’ll also consider QR codes. This isn’t the article to go into the pros and cons, but the point is that you have options.

Recently however, there’s a new generation of NFC tags arriving on the market. These are authentication tags and, as they say, this changes everything. The ability to add an NFC tag into a product to allow authentication with a mobile phone by any user. That’s powerful.

Authentication vs. identification

To make things clear, let’s define the difference between identification and authentication. We will use the example of a tag being attached to, say, a handbag. Identification is the ability of the tag to identify that particular model of handbag. It might provide information about the supply chain, the store that sold it, perhaps even the previous owners. However, it doesn’t necessarily mean that the handbag is genuine. An authentication tag takes this a step further. It defines not only the identity of the handbag but that it’s a specific handbag.

Authentication isn’t however just about preventing counterfeit products, it can also be used for access control, user authentication, ticketing, gaming, document authenticity and much more.

Old school vs. new school authentication tags

OK, so let’s be clear. Using authentication in NFC tags isn’t exactly new. It’s been used for ticketing and access control for years. The statistics for the number of MIFARE® ‘Classic’ tags that have been produced is astonishing.

So what’s different ? The difference is the way that the data is presented and how that will be used.

To keep things simple, in the old school chips, the authentication stuff was embedded deep within the chip. You needed special NFC commands to access and control authentication. With some chips, you could, in theory, do this with an App on Android phones but it was a pain.

The new generation of chips still have all that fancy authentication stuff within the chip but they can present the data within the URL NDEF area of the tag. In short, this means that all you need to do is scan the tag with a regular phone without an App (on Android) and you can use the authentication tech. In the parlance of the industry, this is called ‘frictionless’ – you can just tap and go.

Who is making these chips and tags ?

There are a few authentication chips on the market already although the options are changing quickly. Three of the most popular are NXP’s NTAG413 DNA, NTAG424 DNA, HID’s Trusted Tag and a number of chips by Silicon Craft. Other’s are arriving.

However, that’s the chips – not the finished tags. In reality, right now, the supply of tags is limited. There’s a few reasons. Firstly, the chips are more expensive so tag manufacturers and suppliers like Seritag aren’t making tags without demand – there’s no stock. Secondly, and we’ll cover this later, the tags require specialist encoding and key management – something that very few companies can do.

How do authentication NFC Tags work

Each NFC tag has variations but the principle is similar. Each tag is encoded with a special key that cannot be seen. That key is used to generate a unique code on each scan which can be added to the standard NDEF data. This means, for example, the unique code can be automatically added to a web address on the tag with each scan.

That unique code can then be checked on the server using a copy of the same key. The result is that the authenticity of the tag can be confirmed. The tag data cannot be copied because it changes each time and the last scan will no longer be valid.

NFC tag authentication procedure

To explain in very simple terms how the key system works, let’s consider a simple four digit key – 8774. This key is held and hidden on both the tag and the server. On the server, we will also associate this key with a specific tag – in this case tag ‘123’.

When the NFC tag is scanned, the NFC chip within the NFC tag does a simple calculation based on two elements – the scan count (how many times the tag has been scanned) and the key. To keep things simple, let’s say the tag has been scanned three times and that our calculation is just that we multiply the two :

code = 8774 * 3 = 26322

This code (26322) is then dynamically added to the web link encoded on the tag along with the scan count (3) and the id number of the tag (123). So, to be clear, when someone scans the tags, the NFC chip does this calculation and presents to the user this unique web link. That weblink is now used to load the webpage on the phone and in doing so, the data within the weblink is transferred to the server.

The server, can now take those three elements. It knows that the id of the tag is 123, it knows that the scan count is 3 and it knows the code is 26322. From the server’s database, it can pull the unique key stored earlier (26322). It can now reverse the multiplication that was done on the tag :

count = 26322 / 3 = 8774

And in doing so, can confirm that the stored key matches.

Clearly, this is very simple and it wouldn’t take long to work it out ! However, the chips do a similar procedure using a very advanced level of encryption with much longer keys. It would take very powerful computers many years or longer to work out the keys.

A key element here is that during this process, the keys are not stored or required by the mobile phone. They are not visible to the person scanning the NFC tag at any stage.

Key management

One the problems that presents itself with authentication tags is the management of the keys themselves. A key is like a password and might be, for example, a random sequence of say, 16 characters. The tags need to be encoded with keys that are unique to that batch or, better, to each individual tag. Those keys need to kept safe and the safe transport of keys from encoding service (the company encoding the keys on the tags) to software (the backend checking the validity of the code generated by the tag’s keys) is important.

And this is part of the reason why it’s taking a long time for authentication tags to reach the market. There are solutions on the market. The Ixkio NFC tag management system developed by our site sponsor Seritag is designed to provide an off the shelf solution. However, the process of encoding authentication tags and supplying them isn’t as easy as a normal tag and more work needs to be done for implementation.

Authentication security

The reality is that there’s no easy answer to how secure the tags are. Like many things, it’s more likely the way that the tags which will create flaws in the system. Can the encryption and the keys be hacked ? Quite possibly but in reality it’s not easy and ultimately, in most use cases, it’s more than strong enough.

So where are the flaws ? The first is inherent with ‘frictionless’ tag scanning. Essentially, the principle is that the tags can be scanned by any NFC mobile without an App. The tags, when scanned, will direct through to a website. The uniquely generated code is automatically embedded in the URL which the phone uses to collect the webpage and the server checks the code behind the scenes to say whether the tag is authentic or not. The flaw is that most users don’t know what web page they are going to see.

For example, a luxury brand may place an authentication NFC tag in a handbag. User scans the tag and gets redirected to the luxury brand’s website which says whether it’s authentic or not. However, the user doesn’t know what that web page looks like because they’ve never seen it before. So, a company making fake handbags can simply add any NFC tag redirecting to any webpage anywhere saying it’s not fake. User doesn’t really know the difference.

Now, this is only going to be a problem where general users don’t know which page they are going to. In closed loop systems such as a supply chain, the person doing the scanning might know what to expect and be ready for something that looks odd.

The solution is ultimately that the tags are not ‘frictionless’ and require the use of an App. The user must download the luxury brand’s app first before scanning the tag and thus the system is substantially more secure.

Is this a problem ? Probably not. In many consumer driven cases, the whole purpose of authentication tags in, for example, luxury goods is more to do with consumer interaction than any real control over counterfeit products. In which case, the act of authenticating the goods gives a reason to download the App and goal is achieved.

In other cases, such as the individual tagging of documents or other such items, it’s more the ability to hybrid identification with a simple frictionless security element quickly and easily.