Subscriber Discussion

High Security Alternatives To iCLASS SE Credentials?

MT
Michael Terrizzi
Apr 18, 2016

So I'm in a bit of a dilemma, for years I have been selling the upgrade process to HID iClass SE concept to customers. Selling multiclass readers and then migrated them over to iClass SE credentials.

Recently I have had a slew of readers fail in the field ( not all at once but over 6 month period ), about 35 of them, all show up dead or purple light ( internal failure per tech support ). I've had to change these out at our labor cost and HID RMA hassle. HID after 4 months finally verbally admitted to having a internal design flaw and have updated the revision design on these readers. This was after months of deny deny deny tactics from the manufacture.

I've had other issues with Indala + iClass SE readers also. They couldn't get that design right either, saying it was going support prox also but in the end, it only supports either prox or indala. Created a problem for two customers but we got through it.

I really like the Schlage NDE and Schlage AD series locks, Aptiq readers, but these are far from compatible with iClass SE.

I'm stuck between two solutions but in the end I want to do the right thing by migrating customers off standard prox to a high security card.

Any words of wisdom on HID or problems you have seen with the Aptiq or the artist formally known as XceedID.

Thanks in advance.

(1)
(1)
JH
John Honovich
Apr 18, 2016
IPVM

Our closest resource on this topic: The Prox Reader Shootout

I'll leave it to Brian R to give direct advice.

MT
Michael Terrizzi
Apr 18, 2016

John,

I'm talking about secure credential formats, not hack-able and spoof-able standard proximity.

Mostly migration readers and formats.

Wondering if anyone else had similar issues.

How a company deals with failures is the make or break for continued use. HID has not fared well in my eyes.

(1)
Avatar
Brian Rhodes
Apr 18, 2016
IPVMU Certified

That's interesting feedback. That's really unfortunate that it took 4 months to get resolution. Has HID told you this issue is widespread?

Unfortunately, the 3rd party readers I can think of without digging that support iClass are some kind of combo unit or multi-factor reader like a biometric. Just an iClass 13.56 MHz reader alone are far less common than the 125 kHz variety like you and John note.

Since you mentioned them, I understand the attraction to Aptiq. They are designed well and appear solid, but you're on an iClass migration path, they 'limit' support to MIFARE/ MIFARE DESFIRE EV1.

I'll send some emails today and keep digging on this. It is worth building a reference list on this topic... even though it is apparently a short one.

(1)
(1)
MT
Michael Terrizzi
Apr 18, 2016

Did you change the title of the discussion? Please change it back, that's not the topic I am trying to discuss.

Iclass is is a patented format so nothing other than HID readers or licensed modules will work with their credentials.

before I continue down the road with either vendor for a high security cards, I want to know if anyone else has had issues with either of these vendors or can recommend a third solution.

Avatar
Brian Rhodes
Apr 18, 2016
IPVMU Certified

If you're looking for alternatives to iClass, have you considered MIFARE or DESFIRE EV1?

From a security point of view, there is always a fringe whitepaper reporting a crack, but the 256 bit encryption really discourages traditional methods.

Because it is unlicensed to use, reader selection is easier to come by.

Avatar
Brian Rhodes
Apr 18, 2016
IPVMU Certified

Also, the topic needed work to get a response from membership. I tweaked it to garner more responses. This is a good topic with answers that can be greatly benefited by the widest audience.

SN
Steve Nauman
Apr 18, 2016

Our recent experience with HID is certainly in-line with yours. We had a run SE/HF cards arrive that hadn't been properly encoded. So we ordered another. Same issue. Fast forward 2+ weeks later and we still don't have working cards, due to "manufacturing issues", "supply shortages", and whatever else. Never was an HID fan before, and am even less-so now.

(1)
(1)
SN
Steve Nauman
Apr 18, 2016

Correction: SE/UHF cards.

UI
Undisclosed Integrator #1
Apr 13, 2017

They had a mistake in their ordering form last year where they letter T had the description of the letter S in the ordering guide for the cards... realised that today and asked HID to replace the 601 cards we had received a year ago....

MT
Michael Terrizzi
Apr 18, 2016

Yes they said they have updated the internal components. I don't remember which Revision numbers were affected but they said they replaced an internal chip that handles the power circuits.

DD
Dan Droker
Apr 18, 2016
LONG Building Technologies • IPVMU Certified

I have been told by Schlage that you can get iClass SE readers in the AD series products by special order - Schlage has the relationship to license the iClass technology from HID on an as-needed basis. The discussion was specific to AD products, so I don't know if it is available for aptiQ readers.

PA
Pat Alvaro
Apr 18, 2016

Hi Michael,

An option for you could be ICT's TSEC line of multi-technology readers and credentials. They offer Mifare DESFire EV1 smart card technology and the readers are available in a number of sizes.

http://www.ict.co/Proximity-Products

SN
Steve Nauman
Apr 18, 2016

MultiCLASS, you say? From the spec sheet:

"Secure Identity Object™ (SIO®) on iCLASS Seos, iCLASS SE/SR, MIFARE DESFire EV1 and MIFARE Classic (On by Default)"

So the question becomes "how do I encode EV1 cards w/ SIO data?". Otherwise, you either are stuck with CSN-only during the transition process, or you have to change out cards and readers simultaneously. I'd also match card #s, of course, to avoid having to reconfigure software.

SN
Steve Nauman
Apr 18, 2016

Answered my own question:

hid-mifare-desfire-ev1-prox-se-sio-cards-ds-en.pdf

You'd still need to get them encoded for aptiQ, though. Think they'd let you just ship them off to their factory? (Only mildly sarcastic.)

(1)
MT
Michael Terrizzi
Apr 18, 2016

SIO is just their encoded card number with their mifare encryption key. Same with Aptiq. Either can read the card serial number but not the encoded data because the encryption is proprietary to Aptiq and HID. CSN is about as secure as standard prox. However it one would need to know the system was looking for CSN and not the encoded data.

SN
Steve Nauman
Apr 18, 2016

I think I might've misread your question as you looking to migrate from iCLASS SE to aptiQ, but I typed this all up so I'll post it anyway.

Right, my point was that you can get HID's SIO on a card compatible with aptiQ readers, but I didn't realize that aptiQ's stuff supports ISO 15693. So, really, the physical communication layer is there, and it just comes down to whether or not either manufacturer would be willing to configure/encode third party readers/cards.

So, on to your actual question.

Regarding general experience with aptiQ, we long-ago standardized on their readers and EV1 cards, and we've had nothing but good experiences. From tech support to local sales people, I cannot emphasize enough how much I recommend Allegion over Assa.

(1)
(2)
MT
Michael Terrizzi
Apr 18, 2016

I heard Mifare EV2 is coming out... And they will tell us like Steve Jobs , how shitty and unsafe all the previous card format are vs EV2.

(1)
DP
Donald Peters
Apr 19, 2016
IPVMU Certified

We've had some bad experiences with iClass readers in the past. Specifically reader lockups, which were later resolved via firmware updates on each reader, but at our significant labor costs. Also, the datasheets seem to be historically low when estimating current draw on the iClass readers.

(1)
(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions