Product Authentication With NFC Tags

Photo by Tamara Bellis on Unsplash

The market for fake goods is huge by any measure. It’s estimated to reach 1.2 Trillion USD in 2018*. It affects almost every product sector including luxury goods, clothing, technology, food and drink, automotive parts and many more.

And it’s not just consumer goods and industrial products. The WHO estimates 10% of drugs sold in developing countries are fake and can be linked to 100,000 deaths in Africa alone. Fake pharmaceuticals are a 200 billion USD business**

Crucially, the counterfeit problem is just that complete products are entering the market. There’s an increasing problem with parts entering the supply chain along the way, risking brand reputation and ultimately user safety on end products. There’s been documented cases of food being tampered – high quality olive oil and wines being diluted and mixed down with cheaper variants between supplier and producer.

How NFC tags can help solve the counterfeit problem

There’s fundamentally two benefits with using NFC tags. Firstly, they can be integrated directly into products. This helps because the tags can be added into the supply chain without knowledge which can act as a substantial additional protection. Secondly, no special equipment is required to read an NFC tag which means that a large number of nodes along the supply chain can check the validity of the product.

This is very difficult to achieve with any other system. While RFID can also be used, it requires specialist equipment to scan the tags. QR codes or similar barcodes don’t have the technological barrier that NFC tags have – they need to be visible and can be copied easily.

Using NFC tags throughout the supply chain isn’t a magic bullet, but it can add a substantial level of security with very little effort.

How to use NFC tags for product authentication

Let’s have a look at the options available on using NFC tags for authentication.

Standard NFC Tags : Using encoded data

It’s quick and easy to encode data within the standard memory space of an NFC tag. Additionally, each NFC tag can be encoded with unique data so that, for example, each tag can link to a website with additional unique data. That unique data can be used to check if the tags are genuine.

It’s a simple method but realistically, as easy as it is to encode data into the standard memory space, it’s also very easy to copy it. So what’s the benefit of this ? Well, simply it works at three levels.

Firstly, if the tag isn’t visible and generally people aren’t aware that it’s there, then it works on a very simple – tag is there/tag isn’t there kind of security. In short, if there’s a product at the end of the line that doesn’t have a tag then something isn’t right.

Secondly, it does add a small additional layer of protection in that anyone looking to copy the product must go to the additional effort to include an NFC tag. On high end goods this might not provide much of a barrier but on cheaper products such as a t-shirt, then it might just be enough.

Thirdly, for anyone to copy the tag, they would need to have access to the original. If each tag is encoded with a unique data reference, then any copies would simply be multiples of exactly the same ID. While this would create a problem for the original, it would make it obvious that certain ID numbers have been compromised and thus, relatively simple to classify that ID as fake.

Standard NFC Tags : Using the UID of the chip

Every single genuine NFC tag has a UID encoded into it during manufacture. This UID cannot be modified on genuine NFC tags and is globally unique (or unique enough).

This UID can be used to verify the authenticity of the NFC tag. It’s relatively simple to do on Android but unfortunately, it can’t currently be read on Apple’s iPhone. This doesn’t necessarily mean it’s useless. If it’s used to manage the supply chain then specifying the use of Android phones may not be an issue. If, however, it’s used as a mechanism for end users or consumers to authenticate then it’s not ideal.

It’s not perfect. It’s possible to purchase NFC tags from certain sources which allow the UID to be encoded. Which means that the UID from a valid product can be copied to a fake product and the situation ends back with encoding into the standard memory space.

In short, NFC.Today wouldn’t consider this to much more than a very basic method of authentication and realistically, no better than encoding into the regular memory space.

Authentication Tags : Advanced protection

As reported on NFC.Today throughout this year, the new generation of authentication NFC tags has started to arrive. We won’t go into full detail on how they work here as we’ve written about how authentication tags work before. However, they offer a substantially increased level of protection over standard NFC tags.

The downside to using authentication NFC tags is that they are more complicated to use and they cost more than standard tags. However, the price will gradually reduce and software services such as Ixkio will gradually reduce the technical barrier to using them.

Authentication Software : Off the shelf solutions

This is a growing market and potentially huge, so it’s no surprise that there’s a growing number of off the shelf software solutions. Some of these, such as Il Mio World are combing NFC with blockchains, others such as Selinko, Bluebite and 1TrueID are offering a combined off the shelf authentication and user experience option.

NFC.Today expect many more options to be arriving in the market and they are likely to provide a quick an easy route to using authentication tags.

The downside for most of these systems is generally that they lock the brand and product into using the technology. Once a tag is in a product, particularly a luxury product, it will be there for a long time. For the lifetime of that product, for the NFC tag to function, the software will need to be working. That means that it will need to be paid for but importantly it will also mean that the company will need to survive. In any start-up market, there will be some companies that don’t make it.

The scan flow – why it’s important

Let’s have a look at the scan flow of the NFC tag scan as it makes a substantial difference to the overall level of security of the system. For this discussion, we will assume that the tag is visible and anyone within and outside the supply chain might scan it. If the tag is hidden and only used within the supply chain, then many of these issues don’t apply.

To make it simple, the issue is that while an NFC tag with secure data might link through to a secure service – what happens if the entire system is fake. In other words, what if the tag and what the tag links to is all completely fake.

Consider this possibility. An NFC tag is placed into a product and the NFC tag is scanned without an App. The tag, while secure, will link through to a website which will indicate that the tag is secure. The user, never having used this system before, assumes that this message is authentic and is happy. But what if the tag is fake and the landing page is fake – the user will not know the difference.

The only way around this problem is that the tag must be scanned with an App. Clearly, it must be an App that is also genuine but let’s assume for the moment that it is. Because the tag is scanned from an authorised App and then the App can make sure that the check is correct and therefore secure the chain.

This means that to secure the system, the brand must use a third party App or build authentication (or access to an authentication system via an API) into their own App.

Much of the discussion at this level balances between two arguments. On one hand, how important is the ‘frictionless’ NFC tag scan (a tag scan that doesn’t require an App or a specific App) and on the other hand, how important is the security. In reality, at the consumer level, how crucial is it that such a high level of authentication is required.

As mentioned, this generally isn’t a problem when the tags are used within a known supply chain. In these cases, the user scanning the tag is likely to know or expect a certain page and therefore even with frictionless (app free) scanning, it’s not typically an issue.

How to integrate NFC tags into products

So, how are tags integrated into products ?

Generally, there’s two ways that this is currently done. Clearly, there’s any number of options but let’s look at three of them.

Photo by Andrew Tanglao on Unsplash

Integrated tags

Essentially, the NFC tags are fully integrated into the product. In the case of a pair of shoes, the tag might be in the liner. On a product, it might be behind a plastic moulding. The key element is that the tags are added during the manufacturing process. They are fully integrated.

Additional hang tag

In this instance, the tags are added to additional swing tags, PVC cards or similar items which are either attached or provided with the product. For example, a luxury watch might include an authentication card within the presentation box.

External tags

In this instance, the NFC tags are applied to the outside of the products. This can be an easy and flexible solution if, for example, the tags are added to food packaging or similar where integration or additional hang tags might be problematic.

Combining authentication with tamper detection

In addition to NFC authentication, there’s also the option now of using tamper detection tags. While they both can be used to act as a protection mechanism, they are different in their function.

Tamper detection tags work in one of two ways. Either the tag is completely destroyed when an attempt is made to remove it – the NFC tag will not scan and will no longer work. An increasingly common alternative is a new generation of tamper tags which detect the tamper but continue to work.

The new tamper tags work because the data on the tag is automatically changed when a tamper is detected. The data change will typically be a variable within a URL which can then be checked either using a frictionless scan (no specific App) or using an App.

The important point is that this is quite different than authentication tags. Tamper tags work in the same way as normal tags and their security is simply to detect tampering. There’s no inbuilt function to check that the tag itself is genuine in any more than using a unique URL or using the UID as described above.

However, this situation is changing as well. NXP recently launched a new NFC tag, the NTAG424 TT which combines authentication and tamper features together. It’s not the only chip and there are others on the way.

Additional benefits

In itself, preventing counterfeit goods, protecting the consumer and adding brand protection is more than enough reason to add authentication tags to products. However, there’s often additional benefits as well.

Consider a tag embedded into a luxury item without authentication. Some information supplied with the item might ask the user to scan the tag for promotional offers or to register the product. The user might, but it’s not perhaps an unusual request and therefore perhaps not a particularly powerful call to action.

Now consider that the user is asked to scan the NFC tag to check that the product is authentic. The performance is likely to be substantially higher.

The result of this is an increased user interaction which in turn can improve brand loyalty and customer interaction.


*Global Brand Counterfeiting Report 2018, Research and Markets **PricewaterhouseCoopers, June 201