The NTAG® 424 DNA tag contains powerful authentication capabilities, which are based on the secure symmetric cryptography. The dynamic URL feature is certainly one of the most recognized ways to authenticate the tag. However, it’s worth remembering that there is a different, yet stronger way of doing so, called mutual authentication. This article will provide the comparison of the two methods mentioned, focusing on the pros and cons of each method.
Note: NTAG — is a trademark of NXP B.V. This site is not affiliated with NXP.
With this method, the tag will simply generate a different URL upon each scan. The URL generated by the tag is well-recognized by all Apple smartphones since iPhone 7, and by almost all Android devices that are equipped with the NFC module.
Each tag scan would result in a different dynamic URL, an example could be:
The part marked red is a “dynamic parameter” which is cryptographically encrypted and signed (protected against unauthorized modification). This portion is automatically generated by the NFC tag itself during each scan.
Once the URL is opened by the user on his/her smartphone, the web browser will connect to the server and the server would use a special key to decrypt and validate the dynamic URL for correctness.
✔️ The dynamic URL can be scanned from the home screen, without requiring the user to install any special software or make sophisticated setup.
❌ Not perfectly secure: the user could use the “NFC reader” application in order to scan the URL out of the tag, but without opening it in the web browser. Then, the URL could be passed to a different person that would open the dynamic URL on a different device. Due to technological limitations, with the “dynamic URL” approach it is not possible to detect such a manipulation nor to prevent it.
While this solution is extremely simple and convenient to the user, it could still be the best choice for most applications. Although, it is important to keep the “cons” in mind when designing a mission-critical application. If you need to know the exact accurate timestamps of when NFC tags were scanned, it might be worth considering a different (less user friendly but more secure) approach that is highlighted further in this article.
The mutual authentication is an entirely different and slightly less known method that is although supported by all NTAG® 424 tags.
With this approach, the user needs to download a dedicated mobile application that would allow them to securely validate the tag. Unlike the method described in the previous section, it is not possible to perform mutual authentication without requiring the user to install a special app.
The dedicated mobile application would connect both to the NFC tag and to the validating web server at the same time. Then, the cryptographic “challenge-response” protocol will be performed between the NFC tag and the validating web server.
The mutual authentication could also be performed using a PC with a USB NFC reader and a special program, instead of using the smartphone as a scanner.
✔️ The exact scan timestamp can be recorded on the server side with 100% certainty. You can be sure that the user was in the physical proximity of the tag exactly at the moment when the scan was recorded by the server.
❌ The user is required to install a dedicated mobile application before he/she can proceed with scanning the tag.
The table presented below contains a brief summary of the information provided in the previous paragraphs.
|Dynamic URL||Mutual authentication|
|Works without a dedicated mobile application||✔️||❌|
|Cryptographically secure (authentication can not be forged by the user)||✔️||✔️|
|Provides an incremental scan counter (each scan has a different scan identifier)||✔️||✔️|
|Provides prefectly accurate scan timestamp||❌||✔️|
|Resistant to user’s manipulations||❔ (partially, depends on use case)||✔️ (fully resistant)|
Supporting both methods at the same time
Please note that it is possible to configure the NFC tag in such a way that both described authentication methods will be supported at the same time. In such a case, you can use the dynamic URL verification for the users who don’t have your mobile application yet, and mutual authentication for those who already have your app installed. You might decide to limit certain functionalities to the users who didn’t perform the mutual authentication.
It depends on your exact application and use case whether it would be better to use a dynamic URL authentication, mutual authentication or to support both methods at the same time.
For the more demanding use cases, we could also provide different solutions (not based on NTAG 424 DNA) with a native public key cryptography support, and the ability to implement both mentioned authentication methods without a dedicated app. Feel free to reach out to us and we will advise you the most cost-effective and most fitted solution for your project.