HID vs NXP Credentials

Two companies dominate the global market for access control credentials: HID Global and NXP Semiconductor. Both companies own or influence huge chunks of the credentials game, so which one should you choose? In this note, we explain how their offerings differ, interoperate, and how the choice impacts system selection.

Credentials Dominated by Giants

Upwards of three quarters of the credentials market uses formats developed or licensed byHID Global and NXP Semiconductor.

HID Overview

Since the market began migrating away from 'magstripe' credentials in the mid 2000's, HID Global rose to prominence with it's 125 kHz "Prox" offerings. After being purchased by ASSA ABLOY, the company became 'the credentials house' for a huge swath of the security market, and OEMs products for access brands like Lenel, Honeywell, and Siemens. The company's best-known formats include:

• "Proximity [link no longer available]": an older 125 kHz format, but still regularly used and specified even in new systems
• iClass: an HID Global specific 13.56 MHz 'smartcard'

HID is the 'defacto' choice for credentials in the US. Because of commanding market share, HID is able to license the use of its credential formats to a variety of credential and reader manufacturers. Even when marketing general 'ISO 14443 compliant' offerings, HID strictly follows "Part B" standards (vs Part "A" - described in more detail later).

NXP Overview

Formerly Phillips Semiconductor, Europe-based NXP offers a number of 'contactless' credential components used in a number of markets - security, finance, and industrial. With widespread adoption of ISO standards in credential specification, NXP offers a catalog of types built to spec, including:

• MIFARE PROX: NXP's 125 kHz format built on early drafts of ISO standards, but not as widely adopted as HID's "Proximity" lines
• MIFARE/DESFire: an ISO Standards based NXP 'smartcard' format, also operating on 13.56 MHz The 'DESFire' moniker was introduced in the early 2000s to distinguish the format from 'MIFARE Classic' credentials. DESFire credentials feature stronger encryption that required higher performing chips. The 'Classic' format fell under scrutiny for being vulnerable to snoop attacks, and DESFire countered this threat. Because these improvements were made only to credentials, and existing MIFARE readers could still be used, the new format became known as 'MIFARE/DESFire'.

Unlike HID, NXP's credential formats are 'license-free' and the according standards are available for production use for no cost.  NXP manufacturers all ISO 14443 product to "Part A" standards.

Other Credentials

To a much smaller degree, other RFID-based data formats sporadically pop up in physical access control, including:

• Gemalto IDprime.NET: IT-centric smart card format, originally used for logical access credentialing built on .NET framework
• Sony FeliCa: Widespread use in Japan, especially for cashless proximity systems (mass transit, banking)

While not widely used in access control, those formats accomplish the same primary task and use the same basic methods of doing so as the 'market giants'.

US vs the World

Because of NXP Semiconductors's strength in EMEA and the lack of licensing, MIFARE, DESFire, and the associated derivatives are popular petty much everywhere outside the US.

However, HID Global's strongest markets are in the Americas, especially in the US. Despite the additional cost of licensing compliant credentials and readers, the company also produces product that uses the unlicensed NXP formats and has equal or greater operability as a result.

The ISO/IEC 14443 Division

Very little separates HID's iClass from NXP's MIFARE offerings, and if not for ambiguous interpretation of an ISO standard, they would 'look' the same to most readers. However, because early versions of the standard left room for differentiation, HID and NXP designed their 'compliant' standards with a different encryption structure.

The end result of this is both versions of credential claim 'ISO 14443 Compliance', but are not entirely interchangeable. To reconcile this difference, ISO revised 14443 to include parts 'A and/or B' to segregate the two offerings. Some aspects of these cards are readable across 'Parts', but any encoded data is unreadable between the two.

In general, because there is no licensing cost in using 'Part A' standards, many low-cost and new products start here.

Meanwhile, readers marketed specifically in the US or from vendors with a broader global market license use of 'Part B' compliance from HID:

However, determining which 'parts' a reader or credential is compliant with is not always listed, and confirming a specific brand/type of credential can be used is required.

Interoperability

While the 'Part A & B' division in ISO 14443 separates formats from being the same, it does not always mean they are unusable with each other. Portions of ISO 14443 are the same in both parts, including the 'Card Serial Number'. For some access systems, this is the unique number that identifies unique users, and because this number is not encoded, it will register in 'non standard' readers:

• CSN/UID String: Essentially the card's unique identifier is readable because it is not stored in the deep 'encrypted' media. Many simple EAC platforms use only this number to define a user, and instead use the internal database to assign rights, schedules, and privileges.
• Encoded Read/Write: However, the vast majority of storage within the card is encrypted and unreadable unless compliant readers are used. Especially for access systems using the credential itself for storage (eg: Salto, Hotel Systems) and for multi-factor authentication (eg: biometrics) high security deployments, the simple CSN is not sufficient.

System Impact

In terms of access systems, credential providers/formats matter most during design. Reader selection must consider the credential format, and all subsequent badges or fobs must agree with that choice. In terms of 'Access Management Platform' selection, this format does not generally matter, because the reader itself negotiates credential communication. As long as the platform is compatible with the reader, credential choice is a marginal impact, and most specify credential types based on logistics and ease of purchase rather than technology difference.

However, once this decision is made, changes are costly because they typically require replacement of credentials or reader devices. Changing from one format to the other can cost thousands and affects all users, so changes are uncommon.