For decades, the humble access card has been treated as a simple convenience: tap, beep, enter. But behind that everyday gesture sits a much wider security evolution, driven by the growing role credentials now play in protecting buildings, campuses, transport systems and critical sites.

Modern access control depends on three separate layers of security: the credential, the reader, and the communication between the reader and controller. Each layer must be protected in its own right, because strengthening one does not automatically strengthen the others. This is why credential technology has had to move far beyond simple cards that broadcast an ID number, towards smart, encrypted credentials that can prove they are genuine and keep data protected.

That shift has become essential as attackers gain access to cheaper tools for cloning and replaying older cards. As a result, the industry has moved towards stronger cryptography and smarter credential management, ensuring that access cards are no longer just a way to open doors, but a trusted way to prove identity.

1990s: 125kHz Prox - Simple, reliable, but easy to copy

The first widely deployed physical access cards used low-frequency 125kHz proximity technology. These cards were popular because they were inexpensive, durable and easy to deploy. A reader could detect the card at short range and read its identifier.

However, the weakness was that many Prox cards were one-way and unencrypted. The card usually presented a static number, and the reader decided whether that number was allowed. That made the technology convenient, but not very secure by modern standards. Once low-cost cloning tools became available, copying many legacy Prox credentials became practical.

Even today, 125kHz systems remain common because replacing readers, cards and access-control databases across an estate can be expensive and disruptive.

1994: MIFARE Classic - Smarter cards, but aging cryptography

MIFARE Classic represented a major step forward from simple Prox cards. Operating at 13.56MHz, it supported stored data and became widely used in access control, transport and school-card environments.

MIFARE Classic was more advanced than older Prox cards because it used security technology to protect the information on the card. However, over time, researchers discovered weaknesses in how that protection worked. In 2008, they showed that attackers could use those weaknesses to access card information and even change data on some systems.

That marked an important turning point. The industry could no longer assume that obscurity or proprietary encryption was enough. Security needed to be based on stronger, publicly scrutinised cryptography.

2006: DESFire EV1 - Stronger encryption and multi-application use

DESFire EV1 brought a more modern security model. It supported stronger cryptographic options including AES and 3DES, along with mutual authentication and a more flexible file structure.

That meant a single card could securely support multiple applications, such as building access, cashless vending, print release or transport.

The key development was mutual authentication. Instead of a card simply broadcasting an identifier, the card and reader could prove to each other that they were legitimate before exchanging sensitive data. This made cloning and replay attacks much harder.

For organisations, DESFire EV1 also offered a path away from vulnerable legacy credentials without abandoning the convenience of contactless access.

2016 - 2020: DESFire EV2 and EV3 - Stronger keys, better transaction security

DESFire EV2 and EV3 continued the move toward higher-assurance credentials.

These newer generations made card credentials faster, easier to use across larger systems and better at protecting data during each interaction. They also added stronger checks to help make sure the information sent between the card and reader had not been changed or tampered with.

An increasingly important feature as modern access cards now support far more than just door entry. Stronger transaction protection helps ensure that data has not been altered or replayed between the card and reader.

DESFire EV3 also became an important migration target for organisations still using Prox or MIFARE Classic, because it provided stronger security while remaining practical for large-scale physical access deployments.

2023 and beyond: MIFARE DUOX - Certificate-based and post-quantum ready

The newest generation is moving beyond traditional shared-key card systems.

DUOX is significant because it introduces support for both symmetric and asymmetric cryptography. In practice, that can simplify credential issuing and key management. Instead of every reader and system relying heavily on shared secret keys, certificate-based approaches can help create a stronger chain of trust.

DUOX is designed to support advanced security features, including stronger encryption, modern certificate-based authentication and partial compatibility with existing MIFARE DESFire EV3 infrastructure. This is important for organisations planning long-term access-control investments, as card systems often remain in place for many years.

Why this evolution matters

The development of card credentials is not just a technical upgrade. It is a response to a changing threat landscape.

Older cards were built for convenience. Modern credentials are built for identity assurance. As buildings become more connected and access systems integrate with IT networks, mobile wallets, cloud platforms and visitor systems, the card becomes part of a much larger security ecosystem.

The shift from Prox to MIFARE Classic, then to DESFire and DUOX, shows a clear pattern: each generation adds stronger authentication, better encryption and more secure management of identity data.

But the card is only one part of the story. Even the most secure credential can be undermined if it is connected to outdated access-control infrastructure. Many legacy systems still rely on Wiegand, an older reader-to-controller communication method that sends card data in one direction and without encryption. If the reader cable is accessed or tampered with, that data can potentially be intercepted, replayed or spoofed.

This is why the industry has been moving towards OSDP and OSDP Secure Channel. Unlike Wiegand, OSDP uses two-way communication between the reader and controller, while OSDP Secure Channel adds AES-128 encryption and helps detect tampering. In other words, the weakness is not always the card itself, but the way the reader sends data back to the system.

That is why modern access-control security has to look at the full chain: the card, the reader, the communication between reader and controller, and the wider system behind it.

Legacy technology is still everywhere, largely because it works and because migration takes planning. But the direction of travel is clear. The access card has evolved from a simple electronic key into a secure digital credential and for organisations serious about protecting people, buildings and assets, that evolution is becoming essential.

Whether for property developers, facility managers, or everyday users, MIFARE DESFire delivers an impressive blend of innovation, usability, and design, transforming the way we think about access control.