Paxton Net2 & Switch2 Tokens Explained (Hitag2)

Paxton Net2, Switch2 and the UK Market

Paxton Access is the dominant access-control manufacturer across the UK and Ireland, with Net2 and Switch2 representing its two principal product lines. Net2 is a networked, software-managed platform suited to multi-door commercial and enterprise sites; Switch2 is the standalone, simpler sibling for single-door or small-site deployments. Both platforms use the same token form factor and, critically, the same Hitag2-based credential technology, which means the credential supply question is identical across both product families.

The sheer scale of Paxton's installed base — tens of thousands of sites ranging from GP surgeries to multi-storey car parks — makes compatible token supply commercially significant. OEM fobs carry a premium that adds up quickly when a site needs to issue fifty or a hundred credentials, and procurement teams routinely look for a qualified independent supplier. That demand sits squarely in our product range, covered under our compatible key fob programme for every major format.

Paxton's token range spans several part numbers — the most frequently ordered being the standard black fob (part 695-644) and the proximity card equivalents — but the underlying credential format is consistent across the standard token lineup. Ordering compatible stock by part number reference is straightforward once you understand what the format actually requires under the hood.

For installers and facilities managers responsible for multiple Paxton sites, the economics of compatible supply are clear. Even modest per-unit savings compound substantially across a programme that routinely involves staff turnover, lost fobs, and new-joiner issuances. Independent supply from a specialist credential manufacturer delivers the same enrolment experience as OEM stock at a more competitive price point, with the added benefit of a supplier focused specifically on credential quality and compatibility assurance.

Why Hitag2 Is Not a Plain 125 kHz Proximity Card

Standard 125 kHz read-only credentials — EM4100, HID Prox, Indala — broadcast a fixed ID on request with no authentication layer. Any compatible reader that knows the encoding simply reads and acts on that ID. Hitag2 operates differently: it is a bidirectional, password-authenticated LF protocol. Before the tag transmits its identifier, the reader and the tag perform a mutual authentication exchange using a shared secret embedded in the chip's protected memory pages.

The practical consequence is that a Hitag2-compatible fob must be correctly configured — password and memory layout set to match what the Paxton controller expects — before it will be enrolled or recognised. A blank Hitag2 chip that has not been configured will simply not respond correctly to a Net2 or Switch2 reader. This is the source of frequent confusion: buyers familiar with plain prox cards assume any 125 kHz blank will substitute in, only to find the controller silently rejects credentials that haven't been prepared for the format. Our T5577 explanation guide covers the broader landscape of programmable LF blanks, but Hitag2 is its own distinct protocol class that T5577 does not replicate.

The password-protected architecture also means Hitag2 sits in a different compliance category to plain prox. Sites using Hitag2 get a meaningful step up in LF-layer security compared to EM4100 or standard 26-bit Wiegand cards. It is not a high-security smart-card protocol — that tier belongs to AES-encrypted HF formats — but it is substantially more robust than unprotected prox, which matters for the risk profile of the many medium-security commercial sites Paxton serves.

Understanding this distinction is also important for procurement conversations. When a facilities manager asks whether a compatible fob will 'work the same way,' the answer is yes — but only because the compatible fob has been correctly prepared at the protocol level, not simply because it shares the 125 kHz operating frequency with plain prox credentials. The preparation step is what makes our Hitag2 compatible fob a direct functional equivalent to the Paxton OEM token.

Token Part Numbers and What They Tell You

Paxton publishes a straightforward part-number taxonomy. The standard Net2 key fob is 695-644 (black finish, ISO-standard key ring loop). There are also card-form credentials (695-651 and related) and proximity cards for the Net2 reader range. Switch2 tokens share the same credential format and the standard fob part numbers cross-apply — the platform distinction is in the controller hardware, not the token itself.

When procuring compatible stock, the part number gives you the physical form factor you need, but the format specification that matters for compatibility is the Hitag2 protocol configuration, not the moulded case reference. Our Paxton Net2/Switch2 compatible fob product listing maps directly to the standard 695-644 equivalent: same dimensions, same loop placement, same chip class, programmed to the correct factory configuration. Buyers can reference the OEM part number in their purchase order for traceability; we fulfil to that specification.

If you are unsure whether your site uses the standard token format or one of Paxton's less common proximity card variants, our access card format identification guide walks through the physical inspection steps and, where relevant, the reader-output check that confirms the protocol in use.

Sites that have accumulated a mix of credential generations — perhaps older Switch2 tokens alongside newer Net2 installations — will find that compatible supply simplifies reordering considerably. Rather than tracking OEM stock levels across multiple part-number variants, a single compatible fob specification covers the standard Hitag2 credential type used across the Paxton estate. The physical form factor of the 695-644 equivalent is the most commonly held, and our standard stock reflects that.

Producing a Compatible Paxton Token

A correctly produced compatible Paxton fob starts with a genuine Hitag2-class blank — not a generic LF blank, and not an EM4100 credential relabelled. The chip's authentication block and configuration pages must be written to the correct state before the fob is packaged. This is a programming step, not a duplication exercise: the output is a blank credential in the right protocol state, ready for your Net2 or Switch2 system to enrol with its own site-specific settings, just as it would enrol a factory-fresh OEM token.

Enrolment happens through the Paxton software in exactly the same way as with OEM stock. The controller assigns a token ID, sets permissions and time profiles, and writes that enrolment to its database. The compatible fob holds no site-specific data before enrolment — it simply presents itself to the reader as a valid Hitag2 credential in the expected configuration, at which point the Paxton system takes over. This is the standard model for enterprise-proprietary compatible credentials across all major manufacturers.

Quality control at this stage is important. Chips not written to the correct configuration will be silently rejected at enrolment, which wastes time on-site. Our production process includes a read-back verification step for every fob batch. Buyers ordering for large sites should request a sample quantity for bench-testing before taking full delivery — standard practice for any critical access-control consumable.

The read-back verification step deserves specific mention. Each fob in a batch is checked against a reference profile to confirm the authentication block and memory pages are in the correct state for Paxton Net2 and Switch2 enrolment. This removes the risk of silent incompatibilities reaching a customer site. If your deployment involves a site-scale rollout — say, a hundred fobs for a new build — confirming production lot quality before full issuance is the professional approach, and we actively support sample requests for that purpose.

Comparing Paxton Tokens to Plain 125 kHz Proximity

The table below sets out the key differences between Paxton Net2/Switch2 Hitag2 tokens and the plain-prox credentials used in basic 125 kHz systems. The distinction is relevant both for sourcing decisions and for understanding what compatible supply actually involves.

Sites currently operating plain prox and considering migration to Paxton — or evaluating whether Paxton's credential tier suits their security requirement — will find the comparison useful. The compatible vs genuine access cards buyer's guide covers the wider procurement question, including when compatible supply is straightforward and when more care is needed.

Ordering Compatible Paxton Fobs in Bulk

Compatible Paxton tokens are available through our 125 kHz LF proximity range in single-unit, ten-pack, and site-scale quantities. Standard stock covers the key fob form factor equivalent to 695-644; card-form Paxton-compatible credentials are available on request. Lead times for standard stock are short; larger bespoke batches should be ordered with appropriate notice.

A useful alternative for multi-site operators or access-control installers managing several Paxton estates is our Hitag2 blank fob — the unprogrammed Hitag2-class token that some system integrators prefer to encode in-house using their own Paxton-connected tooling. For direct issuance without additional programming steps, the pre-configured Paxton Net2/Switch2 compatible fob is the right product. If you also manage PAC or Stanley installations alongside a Paxton estate, our PAC compatible token fob covers that format under the same ordering process.

For installers tendering for new Paxton installations or taking over management of an existing estate, establishing a reliable compatible fob supply chain from the outset reduces dependency on a single vendor channel and provides price stability across the credential lifecycle. We work regularly with access-control installers managing estates across multiple sites and can support blanket orders, phased deliveries, and format verification on request.

Security ID Systems is an independent manufacturer and supplier of compatible access-control credentials and is not affiliated with, authorised by, or endorsed by Paxton Access Limited.