What is MIFARE, and why does it matter for access cards?
MIFARE is a family of genuine contactless IC chips made by NXP Semiconductors, operating at 13.56 MHz under the ISO/IEC 14443 Type A air interface. It is one of the most widely deployed smart-card platforms in the world, used across office access control, hotel locks, public transit, cashless payment, and campus credentials. Every smart card we manufacture in this family is built on genuine NXP silicon.
Because MIFARE spans several distinct chip generations with very different cryptography, "MIFARE" alone never fully identifies a credential. An access reader is provisioned for a specific chip type and, often, a specific memory layout and key. Matching that chip on genuine NXP silicon is the first requirement when you order compatible cards. The right approach for replacements depends entirely on which family member your system uses.
MIFARE Classic (1K / 4K): the legacy CRYPTO1 chip
MIFARE Classic is the original and most common member, supplied as 1K (sixteen sectors) and 4K (forty sectors) variants on genuine NXP silicon. It uses NXP's proprietary CRYPTO1 stream cipher with 48-bit sector keys. CRYPTO1 is an early-generation cipher that the industry has long considered cryptographically weak, so MIFARE Classic is widely regarded as a legacy, open-tier credential. Many older office systems, building-entry panels, and budget hotel locks still rely on it.
Because Classic is an open legacy tier, we can encode a genuine NXP MIFARE Classic 1K or 4K credential that carries the exact data layout your reader already accepts. For Classic-based systems we supply ready-encoded compatible cards that present the same sector structure, facility data, and card number your installation expects. This makes Classic among the most straightforward 13.56 MHz formats for spare and replacement credentials.
- 1K: 16 sectors, ~768 usable data bytes; 4K: 40 sectors, larger storage
- Proprietary CRYPTO1 cipher with 48-bit keys — legacy, open-tier security
- Common in older office access, building entry, and budget hotel locks
- Broadly supported: we encode the matching layout onto a genuine NXP Classic credential
MIFARE Plus and Ultralight: the in-between tiers
MIFARE Plus is NXP's drop-in upgrade path from Classic. It keeps a Classic-style memory structure but can be operated in security levels that replace CRYPTO1 with AES-128. When a Plus card is run in its higher AES security levels, it behaves like a modern secured credential rather than a legacy one, so the right replacement strategy depends on how your integrator configured it.
MIFARE Ultralight is a low-cost, smaller-memory chip with no encryption on the base Ultralight — it is common in disposable transit tickets, event wristbands, and some hotel key cards. Ultralight C adds a Triple-DES (3DES) authentication step for a meaningful step up in security. Plain Ultralight is an open tier, so we encode a ready-to-use compatible credential on genuine NXP silicon; Ultralight C and AES-mode Plus are secured tiers, where we supply a compatible blank on the matching genuine NXP chip and your own system enrols it with its keys.
- MIFARE Plus: Classic-style layout, upgradeable to AES-128 in higher security levels
- Ultralight (base): no encryption — disposable transit, wristbands, some hotel cards
- Ultralight C: adds 3DES authentication — a real security step up
- Approach varies: plain Ultralight we encode ready-to-use; Ultralight C / AES-Plus ship as compatible blanks your system enrols
MIFARE DESFire (EV1 / EV2 / EV3): the AES-secured tier
MIFARE DESFire is the high-security member of the family, built around a flexible application file system and strong cryptography. DESFire EV1 introduced AES-128 (alongside 3DES/DES legacy modes); EV2 added features such as multiple isolated applications, transaction MAC, and proximity checking; EV3 is the current generation with further hardening and certifications. DESFire is the chip you find in modern transit networks, enterprise access control, and newer hotel and resort lock systems that want diversified keys per card.
DESFire's AES encryption and diversified keys are designed so the credential data is written by your own system, never read out of an existing card. For DESFire installations we supply compatible blank DESFire EV1/EV2/EV3 credentials on genuine NXP silicon, and your system administrator enrols them through your access-control or property-management software — exactly as you would enrol blanks ordered through the OEM channel. The keys, and your site security, stay in your hands; the blank simply matches the chip family your readers expect.
- EV1: AES-128 introduced; EV2: multiple apps, transaction MAC, proximity check; EV3: latest, hardened
- Used in modern transit, enterprise access, and newer hotel/resort locks
- AES + diversified keys = secured by design; your system holds the keys
- Compatible approach: supply a compatible blank built on genuine NXP silicon, then enrol it in your own system
How do I get replacements for my MIFARE system?
Start by identifying which MIFARE family member your readers use — Classic 1K/4K, Plus, Ultralight/Ultralight C, or DESFire EV1/EV2/EV3. The chip marking on existing cards, the lock or panel model, or your integrator's documentation will tell you. If you can send a sample card, that confirms the chip and, for Classic, the memory layout.
From there the path is straightforward. For open legacy tiers (Classic, plain Ultralight) we encode compatible cards on genuine NXP silicon that present the exact layout your reader already recognizes. For AES-secured tiers (DESFire, and Plus running in AES mode) we supply compatible blanks of the correct genuine NXP chip family, and your own system enrols them with its keys. Either way, these are independently manufactured compatible credentials built on genuine NXP silicon — we are an independent manufacturer and supplier, not affiliated with, authorized by, or endorsed by NXP or any lock or access-control manufacturer. When in doubt, send the chip type and a sample and request a quote.
MIFARE family at a glance — chip, security tier, where it's used, and the compatible approach
| Chip | Security | Typical systems | Compatible approach |
|---|---|---|---|
| MIFARE Classic 1K / 4K | CRYPTO1, 48-bit keys (legacy, open tier) | Older office access, building entry, budget hotel locks | We encode the matching layout onto a genuine NXP Classic credential |
| MIFARE Plus | Upgradeable to AES-128 (security levels) | Classic upgrades, mixed-fleet access control | Depends on level: ready-encoded in legacy mode, compatible blank your system enrols in AES mode |
| MIFARE Ultralight | None (base chip) | Disposable transit tickets, event wristbands, some hotel cards | We encode a ready-to-use credential on a genuine NXP Ultralight chip |
| MIFARE Ultralight C | 3DES authentication | Hotel key cards, ticketing needing a step up | Match genuine NXP chip + config; secured tier your system enrols |
| MIFARE DESFire EV1 | AES-128 (also 3DES/DES legacy) | Transit, enterprise access, secure facilities | Compatible blank on genuine NXP silicon, enrolled by your system |
| MIFARE DESFire EV2 | AES-128 + multi-app, transaction MAC, proximity check | Modern access control, multi-application credentials | Compatible blank on genuine NXP silicon, enrolled by your system |
| MIFARE DESFire EV3 | AES-128, hardened + certified (latest) | Current enterprise access, newer hotel/resort locks | Compatible blank on genuine NXP silicon, enrolled by your system |