Accreditations
For decades, the humble access card has been treated as a simple convenience: tap, beep, enter. But behind that everyday gesture is a major security evolution.
Card credentials have come a long way, from simple cards that just broadcast an ID number to smart, encrypted credentials that can prove they are genuine and that keep data protected.
The reason is simple: buildings, campuses, transport systems and critical sites now depend on credentials not just to open doors, but to prove identity. As attackers have gained cheaper tools for cloning and replaying older cards, the industry has had to move toward stronger cryptography and smarter credential management.
The first widely deployed physical access cards used low-frequency 125kHz proximity technology. These cards were popular because they were inexpensive, durable and easy to deploy. A reader could detect the card at short range and read its identifier.
However, the weakness was that many Prox cards were one-way and unencrypted. The card usually presented a static number, and the reader decided whether that number was allowed. That made the technology convenient, but not very secure by modern standards. Once low-cost cloning tools became available, copying many legacy Prox credentials became practical.
Even today, 125kHz systems remain common because replacing readers, cards and access-control databases across an estate can be expensive and disruptive.
MIFARE Classic represented a major step forward from simple Prox cards. Operating at 13.56MHz, it supported stored data and became widely used in access control, transport and school-card environments.
MIFARE Classic was more advanced than older Prox cards because it used security technology to protect the information on the card. However, over time, researchers discovered weaknesses in how that protection worked. In 2008, they showed that attackers could use those weaknesses to access card information and even change data on some systems.
That marked an important turning point. The industry could no longer assume that obscurity or proprietary encryption was enough. Security needed to be based on stronger, publicly scrutinised cryptography.
DESFire EV1 brought a more modern security model. It supported stronger cryptographic options including AES and 3DES, along with mutual authentication and a more flexible file structure.
That meant a single card could securely support multiple applications, such as building access, cashless vending, print release or transport.
The key development was mutual authentication. Instead of a card simply broadcasting an identifier, the card and reader could prove to each other that they were legitimate before exchanging sensitive data. This made cloning and replay attacks much harder.
For organisations, DESFire EV1 also offered a path away from vulnerable legacy credentials without abandoning the convenience of contactless access.
DESFire EV2 and EV3 continued the move toward higher-assurance credentials.
These newer generations made card credentials faster, easier to use across larger systems and better at protecting data during each interaction. They also added stronger checks to help make sure the information sent between the card and reader had not been changed or tampered with.
An increasingly important feature as modern access cards now support far more than just door entry. Stronger transaction protection helps ensure that data has not been altered or replayed between the card and reader.
DESFire EV3 also became an important migration target for organisations still using Prox or MIFARE Classic, because it provided stronger security while remaining practical for large-scale physical access deployments.
The newest generation is moving beyond traditional shared-key card systems.
DUOX is significant because it introduces support for both symmetric and asymmetric cryptography. In practice, that can simplify credential issuing and key management. Instead of every reader and system relying heavily on shared secret keys, certificate-based approaches can help create a stronger chain of trust.
DUOX is designed to support advanced security features, including stronger encryption, modern certificate-based authentication and partial compatibility with existing MIFARE DESFire EV3 infrastructure. This is important for organisations planning long-term access-control investments, as card systems often remain in place for many years.
The development of card credentials is not just a technical upgrade. It is a response to a changing threat landscape.
Older cards were built for convenience. Modern credentials are built for identity assurance. As buildings become more connected and access systems integrate with IT networks, mobile wallets, cloud platforms and visitor systems, the card becomes part of a much larger security ecosystem.
The shift from Prox to MIFARE Classic, then to DESFire and DUOX, shows a clear pattern: each generation adds stronger authentication, better encryption and more secure management of identity data.
But the card is only one part of the story. Even the most secure credential can be undermined if it is connected to outdated access-control infrastructure. Many legacy systems still use two-wire connections between the reader and controller, which can create vulnerabilities if the reader cable is accessed, cut or tampered with. In those cases, the weakness is not necessarily the card itself, but the way the reader sends data back to the system.
That is why modern access-control security has to look at the full chain: the card, the reader, the communication between reader and controller, and the wider system behind it.
Legacy technology is still everywhere, largely because it works and because migration takes planning. But the direction of travel is clear. The access card has evolved from a simple electronic key into a secure digital credential and for organisations serious about protecting people, buildings and assets, that evolution is becoming essential.
