HID vs NXP Credentials

By: Brian Rhodes, Published on Sep 12, 2013

Two companies dominate the global market for access control credentials: HID Global and NXP Semiconductor. Both companies own or influence huge chunks of the credentials game, so which one should you choose? In this note, we explain how their offerings differ, interoperate, and how the choice impacts system selection.

Credentials Dominated by Giants

Upwards of three quarters of the credentials market uses formats developed or licensed byHID Global and NXP Semiconductor.

HID Overview

Since the market began migrating away from 'magstripe' credentials in the mid 2000's, HID Global rose to prominence with it's 125 kHz "Prox" offerings. After being purchased by ASSA ABLOY, the company became 'the credentials house' for a huge swath of the security market, and OEMs products for access brands like Lenel, Honeywell, and Siemens. The company's best-known formats include:

  • "Proximity [link no longer available]": an older 125 kHz format, but still regularly used and specified even in new systems
  • iClass: an HID Global specific 13.56 MHz 'smartcard'

HID is the 'defacto' choice for credentials in the US. Because of commanding market share, HID is able to license the use of its credential formats to a variety of credential and reader manufacturers. Even when marketing general 'ISO 14443 compliant' offerings, HID strictly follows "Part B" standards (vs Part "A" - described in more detail later).

NXP Overview

Formerly Phillips Semiconductor, Europe-based NXP offers a number of 'contactless' credential components used in a number of markets - security, finance, and industrial. With widespread adoption of ISO standards in credential specification, NXP offers a catalog of types built to spec, including:

  • MIFARE PROX: NXP's 125 kHz format built on early drafts of ISO standards, but not as widely adopted as HID's "Proximity" lines
  • MIFARE/DESFire: an ISO Standards based NXP 'smartcard' format, also operating on 13.56 MHz The 'DESFire' moniker was introduced in the early 2000s to distinguish the format from 'MIFARE Classic' credentials. DESFire credentials feature stronger encryption that required higher performing chips. The 'Classic' format fell under scrutiny for being vulnerable to snoop attacks, and DESFire countered this threat. Because these improvements were made only to credentials, and existing MIFARE readers could still be used, the new format became known as 'MIFARE/DESFire'.

Unlike HID, NXP's credential formats are 'license-free' and the according standards are available for production use for no cost.  NXP manufacturers all ISO 14443 product to "Part A" standards.

Other Credentials

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

To a much smaller degree, other RFID-based data formats sporadically pop up in physical access control, including:

  • Gemalto IDprime.NET: IT-centric smart card format, originally used for logical access credentialing built on .NET framework
  • Sony FeliCa: Widespread use in Japan, especially for cashless proximity systems (mass transit, banking)

While not widely used in access control, those formats accomplish the same primary task and use the same basic methods of doing so as the 'market giants'.

US vs the World

Because of NXP Semiconductors's strength in EMEA and the lack of licensing, MIFARE, DESFire, and the associated derivatives are popular petty much everywhere outside the US.

However, HID Global's strongest markets are in the Americas, especially in the US. Despite the additional cost of licensing compliant credentials and readers, the company also produces product that uses the unlicensed NXP formats and has equal or greater operability as a result.

The ISO/IEC 14443 Division

Very little separates HID's iClass from NXP's MIFARE offerings, and if not for ambiguous interpretation of an ISO standard, they would 'look' the same to most readers. However, because early versions of the standard left room for differentiation, HID and NXP designed their 'compliant' standards with a different encryption structure.

The end result of this is both versions of credential claim 'ISO 14443 Compliance', but are not entirely interchangeable. To reconcile this difference, ISO revised 14443 to include parts 'A and/or B' to segregate the two offerings. Some aspects of these cards are readable across 'Parts', but any encoded data is unreadable between the two.

In general, because there is no licensing cost in using 'Part A' standards, many low-cost and new products start here.

 

Meanwhile, readers marketed specifically in the US or from vendors with a broader global market license use of 'Part B' compliance from HID:

However, determining which 'parts' a reader or credential is compliant with is not always listed, and confirming a specific brand/type of credential can be used is required.

Interoperability

While the 'Part A & B' division in ISO 14443 separates formats from being the same, it does not always mean they are unusable with each other. Portions of ISO 14443 are the same in both parts, including the 'Card Serial Number'. For some access systems, this is the unique number that identifies unique users, and because this number is not encoded, it will register in 'non standard' readers:

  • CSN/UID String: Essentially the card's unique identifier is readable because it is not stored in the deep 'encrypted' media. Many simple EAC platforms use only this number to define a user, and instead use the internal database to assign rights, schedules, and privileges.
  • Encoded Read/Write: However, the vast majority of storage within the card is encrypted and unreadable unless compliant readers are used. Especially for access systems using the credential itself for storage (eg: Salto, Hotel Systems) and for multi-factor authentication (eg: biometrics) high security deployments, the simple CSN is not sufficient.

System Impact

In terms of access systems, credential providers/formats matter most during design. Reader selection must consider the credential format, and all subsequent badges or fobs must agree with that choice. In terms of 'Access Management Platform' selection, this format does not generally matter, because the reader itself negotiates credential communication. As long as the platform is compatible with the reader, credential choice is a marginal impact, and most specify credential types based on logistics and ease of purchase rather than technology difference.

However, once this decision is made, changes are costly because they typically require replacement of credentials or reader devices. Changing from one format to the other can cost thousands and affects all users, so changes are uncommon.

5 reports cite this report:

Designing Access Control Guide on Jan 30, 2019
Designing an access control solution requires decisions on 8 fundamental...
Favorite Access Control Credentials 2018 on Mar 22, 2018
In this 2018 access integrator statistics result, which credential type holds...
Selecting Access Control Readers Tutorial on Nov 09, 2017
Given the variety of types available, specifying access control readers can...
Cracked 125kHz Access Control Migration Guide on May 19, 2017
Despite being one of the most popular credentials, 125 kHz credentials are...
Favorite Access Control Credentials 2016 on Nov 07, 2016
When it comes to the most popular way to unlock an access controlled door,...
Comments (5) : Members only. Login. or Join.

Related Reports

USA's Seek Scan Thermal Temperature System Examined on Apr 01, 2020
This US company, Seek, located down the road from FLIR and founded by former...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
Hikvision Fever Screening Thermal Solutions Examined on Apr 13, 2020
Hikvision is marketing "safer, faster, smarter" with their Fever Screening...
Salesforce Drops Dahua and Hikvision on Aug 12, 2020
Salesforce has dropped Dahua and Hikvision as customers, forcing the two mega...
Cast Presents PoE Perimeter Lighting on Apr 28, 2020
Cast Lighting presented its PoE powered Perimeter fence system during the...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Network Cable Usage Statistics 2020 (Cat 5e vs Cat 6 vs Cat 6a) on Sep 02, 2020
Integrators are split between using Cat 5e, 6, and 6a but 2 of them have...
WDR Cheat Sheet and Camera Tracking - 30 Manufacturers on Aug 26, 2020
Manufacturers are regularly cryptic about what WDR support they actually...
IDIS Presents 12MP IR Panoramic Fisheye on May 26, 2020
IDIS presented its 12MP IR panoramic fisheye camera at the April 2020 IPVM...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Access Control Course Fall 2020 - Register Now - Last Chance on Sep 09, 2020
Starts next week! IPVM offers the most comprehensive access control course in...
Brazil's Biggest Domestic Surveillance Company Intelbras Profile on Jul 29, 2020
While Intelbras is not widely known outside of Latin America, Intelbras is a...
Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Bias In Facial Recognition Varies By Country, NIST Report Shows on Jul 15, 2020
While many argue that face recognition is inherently racist, results from one...

Recent Reports

Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
Today is your last chance to save $50 on registration for the Fall 2020 Video...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...
Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...