MIFARE: Product Family, Security & Use Cases
MIFARE is NXP's family of contactless smart card ICs built on ISO/IEC 14443 Type A — the technology behind most transit cards, building badges, and event tickets in the world. It is not EMV: MIFARE powers closed-loop credentials and stored value, while EMV handles open-loop bank card payments. This guide covers the product family, what broke and when, and where each product actually fits.
Where MIFARE sits in the contactless stack
All MIFARE products communicate over ISO/IEC 14443 Type A at 13.56 MHz — the same RF layer as contactless EMV cards. The difference is what runs on top:
- MIFARE Classic and Ultralight stop at ISO 14443-3 and speak a proprietary memory-access protocol — there is no APDU layer, no SELECT, no AID.
- MIFARE DESFire, Plus (SL3) and DUOX are full ISO 14443-4 cards with a file system and command set, selectable via ISO 7816-4 APDUs (DESFire's NDEF application even has a registered AID,
D2760000850100— look it up in the RID & AID Catalog). - EMV cards use the same ISO 14443-4 transport but run the EMV application layer (PPSE selection, GPO, GENERATE AC) — see the contactless payment flow.
Rule of thumb: EMV is open-loop — any card, any terminal, settled through the card networks. MIFARE is closed-loop — the scheme operator owns the cards, the readers, and the keys.
The product family
| Product | Crypto | Protocol | Status & role |
|---|---|---|---|
| MIFARE Classic 1K / 4K / EV1 | Crypto1 (proprietary, 48-bit) | ISO 14443-3 + proprietary | Broken The 1994 original. Sector/block memory with per-sector keys. Crypto1 has been fully broken since 2008 — legacy deployments only, never for new designs. |
| MIFARE Ultralight EV1 / C / AES | None (base) · 3DES (C) · AES-128 (AES) | ISO 14443-3 | Active Cheapest of the family, designed for disposable and limited-use media: paper event tickets, single-trip transit, hotel keys. Pick the AES variant when the ticket must resist cloning. |
| MIFARE Plus EV1 / EV2 | AES-128 (plus Crypto1 compatibility mode) | ISO 14443-3/-4 depending on level | Active The Classic migration path: security levels let a fleet run in Classic-compatible mode (SL1) while readers are upgraded, then switch the same cards to AES-only (SL3). |
| MIFARE DESFire EV1 / EV2 / EV3 / Light | DES / 2K3DES / 3K3DES / AES-128 | ISO 14443-4, ISO 7816-4 APDUs | Flagship Multi-application file system — one card can carry transit, access, and payment purse as separately-keyed applications. Common Criteria EAL5+ certified. EV3 is the current generation; DESFire Light is the single-application budget cut. |
| MIFARE DUOX | AES + ECC asymmetric authentication | ISO 14443-4 | Newest Adds public-key authentication to a DESFire-style file system, removing the shared-symmetric-key problem entirely. Aimed at EV charging, car access, and infrastructure where readers can't be trusted with fleet keys. |
| MIFARE 2GO | — | Cloud service | Service NXP's cloud platform that digitizes DESFire-based credentials into Apple Wallet and Google Wallet — how a closed-loop transit card or student ID ends up on a phone. |
Security history: why "MIFARE" needs a qualifier
MIFARE Classic's Crypto1 cipher was proprietary and unpublished. That lasted until researchers reverse-engineered the silicon:
- 2007 — Nohl & Plötz present a partial reverse-engineering of Crypto1 at the Chaos Communication Congress, recovered by slicing and photographing the chip.
- 2008 — Radboud University Nijmegen publishes Dismantling MIFARE Classic: full cipher recovery and practical key-recovery attacks. Card-only attacks (nested, darkside, later hardnested) soon recover all keys of a card in minutes with a hobbyist reader.
- 2008–2010s — "Magic" UID-changeable clone cards make Classic duplication trivial. Major schemes (including London's Oyster) migrate to DESFire. Hardened Classic-compatible clones with static encrypted nonces appear from third-party fabs.
- 2024 — Quarkslab (Philippe Teuwen) breaks the hardened static-encrypted-nonce variant and, in the process, uncovers a hardware backdoor key in Fudan FM11RF08S / FM11RF08 chips (with related backdoors in some older NXP- and Infineon-branded parts) that allows compromising all user keys in minutes of card access.
Practical guidance: treat MIFARE Classic — and any reader that authenticates by UID alone — as cloneable. New designs should use DESFire EV3 or Plus SL3 with per-card diversified AES keys; DUOX where offline readers can't be trusted with symmetric fleet keys. Ultralight AES covers the disposable end.
Use cases
Closed-Loop Transit
The defining MIFARE use case: stored-value fare cards with period passes and concession products. London's Oyster (migrated Classic → DESFire after the 2008 break), the Dutch OV-chipkaart, Moscow's Troika, and dozens of metro systems worldwide. Offline gate decisions in <100 ms, value and pass products stored in separately-keyed card applications. Open-loop EMV is displacing it for pay-as-you-go, but concessions, period passes, and unbanked riders keep closed-loop MIFARE running alongside.
Access Control & Corporate Badges
Office badges, data-center access, universities, gyms. Modern systems use DESFire EV3 with diversified keys and mutual authentication; a huge legacy installed base still runs Classic or reads bare UIDs — which is why badge cloning demos are a penetration-testing staple. Hotels sit in the same bucket: key cards are typically Ultralight C or Classic, re-keyed per stay.
Event Ticketing & Stadiums
Disposable smart tickets: a paper ticket with an embedded Ultralight inlay costs cents, validates offline at the turnstile, and can't be photocopied like a barcode. Used for single-match tickets, festivals wristbands, and ski passes. Season tickets move up to Classic/DESFire cards that carry entitlements for the whole season and double as loyalty media.
Campus Cards & Closed-Loop Payment
One student or employee card, many applications: door access, library, print quota, and a stored-value purse for the cafeteria and vending machines. DESFire's multi-application file system is built for exactly this — each service gets its own application with its own keys, so the canteen operator never holds the door-access keys. City citizen cards (transit + pools + libraries) follow the same pattern.
EV Charging & Mobility
RFID charge cards are still the dominant authentication method at European charging points — and a notorious weak spot, because many networks authenticate by card UID alone, which any magic card can clone. Car sharing, fleet fuel cards, and bike-share docks use the same pattern. This is the segment MIFARE DUOX targets: ECC public-key authentication means an offline charger never stores a symmetric fleet key worth stealing.
Loyalty, Membership & Mobile
Coffee-shop stored-value cards, casino player cards, museum memberships. Increasingly these skip plastic entirely: MIFARE 2GO provisions a DESFire-equivalent credential into Apple Wallet or Google Wallet, so a transit pass or student ID works from the phone's secure element with Express Mode-style taps — closed-loop MIFARE and mobile wallets are complements, not competitors.
Which product for which job
| Requirement | Pick | Why |
|---|---|---|
| Disposable ticket, cost-critical | Ultralight EV1 / AES | Cents per inlay; AES variant when cloning matters |
| Migrating an installed Classic fleet | Plus EV2 | Runs as Classic (SL1) until readers upgrade, then AES-only (SL3) |
| Multi-application card (transit + access + purse) | DESFire EV3 | Per-application keys, EAL5+, transaction MAC for backend audit |
| Single app, budget, still AES | DESFire Light | Fixed file layout, DESFire security at lower cost |
| Offline readers that can't hold fleet keys | DUOX | ECC public-key authentication — nothing secret in the reader |
| Credential in Apple/Google Wallet | MIFARE 2GO | Cloud provisioning of DESFire-based credentials to the phone SE |
| Anything new on Classic | — | Don't. Crypto1 is broken and hardened clones are backdoored |
Related reading & tools
NFC in Payments · NFC Payment Use Cases · RID & AID Catalog · Contactless Features (RRP, DS, MSD) · EMV Contactless Kernels