HID vs NXP Credentials

By: Brian Rhodes, Published on Sep 12, 2013

Two companies dominate the global market for access control credentials: HID Global and NXP Semiconductor. Both companies own or influence huge chunks of the credentials game, so which one should you choose? In this note, we explain how their offerings differ, interoperate, and how the choice impacts system selection.

Credentials Dominated by Giants

Upwards of three quarters of the credentials market uses formats developed or licensed byHID Global and NXP Semiconductor.

HID Overview

Since the market began migrating away from 'magstripe' credentials in the mid 2000's, HID Global rose to prominence with it's 125 kHz "Prox" offerings. After being purchased by ASSA ABLOY, the company became 'the credentials house' for a huge swath of the security market, and OEMs products for access brands like Lenel, Honeywell, and Siemens. The company's best-known formats include:

  • "Proximity [link no longer available]": an older 125 kHz format, but still regularly used and specified even in new systems
  • iClass: an HID Global specific 13.56 MHz 'smartcard'

HID is the 'defacto' choice for credentials in the US. Because of commanding market share, HID is able to license the use of its credential formats to a variety of credential and reader manufacturers. Even when marketing general 'ISO 14443 compliant' offerings, HID strictly follows "Part B" standards (vs Part "A" - described in more detail later).

NXP Overview

Formerly Phillips Semiconductor, Europe-based NXP offers a number of 'contactless' credential components used in a number of markets - security, finance, and industrial. With widespread adoption of ISO standards in credential specification, NXP offers a catalog of types built to spec, including:

  • MIFARE PROX: NXP's 125 kHz format built on early drafts of ISO standards, but not as widely adopted as HID's "Proximity" lines
  • MIFARE/DESFire: an ISO Standards based NXP 'smartcard' format, also operating on 13.56 MHz The 'DESFire' moniker was introduced in the early 2000s to distinguish the format from 'MIFARE Classic' credentials. DESFire credentials feature stronger encryption that required higher performing chips. The 'Classic' format fell under scrutiny for being vulnerable to snoop attacks, and DESFire countered this threat. Because these improvements were made only to credentials, and existing MIFARE readers could still be used, the new format became known as 'MIFARE/DESFire'.

Unlike HID, NXP's credential formats are 'license-free' and the according standards are available for production use for no cost.  NXP manufacturers all ISO 14443 product to "Part A" standards.

Other Credentials

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

To a much smaller degree, other RFID-based data formats sporadically pop up in physical access control, including:

  • Gemalto IDprime.NET: IT-centric smart card format, originally used for logical access credentialing built on .NET framework
  • Sony FeliCa: Widespread use in Japan, especially for cashless proximity systems (mass transit, banking)

While not widely used in access control, those formats accomplish the same primary task and use the same basic methods of doing so as the 'market giants'.

US vs the World

Because of NXP Semiconductors's strength in EMEA and the lack of licensing, MIFARE, DESFire, and the associated derivatives are popular petty much everywhere outside the US.

However, HID Global's strongest markets are in the Americas, especially in the US. Despite the additional cost of licensing compliant credentials and readers, the company also produces product that uses the unlicensed NXP formats and has equal or greater operability as a result.

The ISO/IEC 14443 Division

Very little separates HID's iClass from NXP's MIFARE offerings, and if not for ambiguous interpretation of an ISO standard, they would 'look' the same to most readers. However, because early versions of the standard left room for differentiation, HID and NXP designed their 'compliant' standards with a different encryption structure.

The end result of this is both versions of credential claim 'ISO 14443 Compliance', but are not entirely interchangeable. To reconcile this difference, ISO revised 14443 to include parts 'A and/or B' to segregate the two offerings. Some aspects of these cards are readable across 'Parts', but any encoded data is unreadable between the two.

In general, because there is no licensing cost in using 'Part A' standards, many low-cost and new products start here.

 

Meanwhile, readers marketed specifically in the US or from vendors with a broader global market license use of 'Part B' compliance from HID:

However, determining which 'parts' a reader or credential is compliant with is not always listed, and confirming a specific brand/type of credential can be used is required.

Interoperability

While the 'Part A & B' division in ISO 14443 separates formats from being the same, it does not always mean they are unusable with each other. Portions of ISO 14443 are the same in both parts, including the 'Card Serial Number'. For some access systems, this is the unique number that identifies unique users, and because this number is not encoded, it will register in 'non standard' readers:

  • CSN/UID String: Essentially the card's unique identifier is readable because it is not stored in the deep 'encrypted' media. Many simple EAC platforms use only this number to define a user, and instead use the internal database to assign rights, schedules, and privileges.
  • Encoded Read/Write: However, the vast majority of storage within the card is encrypted and unreadable unless compliant readers are used. Especially for access systems using the credential itself for storage (eg: Salto, Hotel Systems) and for multi-factor authentication (eg: biometrics) high security deployments, the simple CSN is not sufficient.

System Impact

In terms of access systems, credential providers/formats matter most during design. Reader selection must consider the credential format, and all subsequent badges or fobs must agree with that choice. In terms of 'Access Management Platform' selection, this format does not generally matter, because the reader itself negotiates credential communication. As long as the platform is compatible with the reader, credential choice is a marginal impact, and most specify credential types based on logistics and ease of purchase rather than technology difference.

However, once this decision is made, changes are costly because they typically require replacement of credentials or reader devices. Changing from one format to the other can cost thousands and affects all users, so changes are uncommon.

5 reports cite this report:

Designing Access Control Guide on Jan 30, 2019
Designing an access control solution requires decisions on 8 fundamental questions. This in-depth guide helps you understand the options and...
Favorite Access Control Credentials 2018 on Mar 22, 2018
In this 2018 access integrator statistics result, which credential type holds the favored spot to unlock access doors? More than 150 integrators...
Selecting Access Control Readers Tutorial on Nov 09, 2017
Given the variety of types available, specifying access control readers can be a daunting process. However, focusing on a few key elements will...
Cracked 125kHz Access Control Migration Guide on May 19, 2017
Despite being one of the most popular credentials, 125 kHz credentials are easily copied and insecure as we showed in our test results, video...
Favorite Access Control Credentials 2016 on Nov 07, 2016
When it comes to the most popular way to unlock an access controlled door, which credential type holds the favored spot among integrators? The...
Comments (5) : Members only. Login. or Join.

Related Reports

Uniview Heat-Tracker Temperature Screening Series Examined on Apr 22, 2020
Uniview is marketing #UNVagainstCOVID19 with their Heat-Tracker series, including not only thermal camera screening systems, but options for face...
USA's Seek Scan Thermal Temperature System Examined on Apr 01, 2020
This US company, Seek, located down the road from FLIR and founded by former FLIR employees is offering a thermal temperature system for the...
Open Access Controller Guide (Axis, HID, Isonas, Mercury) on Sep 19, 2019
In the access control market, there are many software platforms, but only a few companies that make non-proprietary door controllers. Recently,...
Axis ARTPEC-7 Chip Release Examined on Apr 08, 2019
For years, Axis essentially de-promoted their own chips. Now, they are reversing course. Axis has announced ARTPEC-7, their latest chip, which...
Milestone Disrupts Milestone With Arcules on Nov 19, 2018
Milestone is now competing against... Milestone's own spinout Arcules. New IPVM testing shows that Arcules has incorporated a substantial amount...
Favorite Access Control Credentials 2018 on Mar 22, 2018
In this 2018 access integrator statistics result, which credential type holds the favored spot to unlock access doors? More than 150 integrators...
Hanwha Techwin Spins Out Security Business on Mar 06, 2018
In an era of security acquisitions and mergers, with most recently Avigilon being acquired by Motorola and Bosch merging its security businesses,...
ADT / ASG 'Merger' Acquisition on Feb 12, 2018
ADT, the $4 billion annual revenue security giant, recently publicly traded again, has merged with security integrator Aronson Security...
Dahua Access Control Tested on Oct 10, 2017
Can Dahua become a major force in access control? We bought Dahua's ASC1202B [link no longer available] to find out. We tested Dahua access and...
Genetec Launches Cloud Access Control (Synergis SaaS) on Sep 21, 2017
Genetec's cloud everything expansion continues, with their announcement of Synergis SaaS edition, joining their cloud video offering Stratocast,...

Most Recent Industry Reports

Access Control Online Show - July 2020 - With 40+ Manufacturers - Register Now on Jul 01, 2020
IPVM is excited to announce our July 2020 Access Control Show. With 40+ companies presenting across 4 days, this is a unique opportunity to hear...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an expanding offering in the midst of coronavirus. Hanwha in partnership...
UK Government Says Fever Cameras "Unsuitable" on Jul 01, 2020
The UK government's medical device regulator, MHRA, told IPVM that fever-seeking thermal cameras are "unsuitable for this purpose" and recommends...
Camera Course Summer 2020 on Jun 30, 2020
This is the only independent surveillance camera course, based on in-depth product and technology testing. Lots of manufacturer training...
Worst Over But Integrators Still Dealing With Coronavirus Problems (June Statistics) on Jun 30, 2020
While numbers of integrators very impacted by Coronavirus continue to drop, most are still moderately dealing with the pandemic's problems, June...
FLIR Screen-EST Screening Software Tested on Jun 30, 2020
In our FLIR A Series Test, the cameras' biggest drawback was their lack of face detection, requiring manual adjustment when screening each...
Dahua Buenos Aires Bus Screening Violates IEC Standards and Dahua's Own Instructions on Jun 30, 2020
Dahua has promoted Buenos Aires bus deployments as "solutions that facilitate community safety". However, they violate IEC standards and,...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could be used for "accurately detecting fever in any person", even claiming...
Industry Study: 83% of US Temperature Screening Sellers Falsely Say Not Medical Devices on Jun 29, 2020
83% of US companies selling temperature screening devices, aka 'fever' detectors, claim they are not medical devices, contrary to FDA definition,...
Manufacturers on Virtual 'ISC West' 2020 and Potential ISC West 2021 on Jun 29, 2020
With the 2020 ISC West show now officially canceled, attention turns to Reed's new "ISC West 2020 Virtual Event" planned for October and for the...