NFC Anti-Counterfeiting Guide
Protect Products with NFC Tags
How to use NFC tags for brand protection and anti-counterfeiting with SUN/SDM authentication. Covers originality signatures, rolling codes, cloud verification, and implementation best practices.
NFC Anti-Counterfeiting
Counterfeit goods cost global brands over $500 billion annually. NFC enables product authentication at the item level — each unit carries a unique, verifiable identity that a smartphone can check in under a second. This guide explains the authentication methods, NFC-specific hardware features, and supply chain deployment patterns.
Authentication Methods Overview
NFC anti-counterfeiting approaches fall into three tiers of increasing security:
| Tier | Method | Forgeability | Cost Premium |
|---|---|---|---|
| 1 — UID check | Read factory UID, query backend | Medium (UID cloners exist) | Minimal |
| 2 — Originality signature | Verify ECC signature on-chip | Low (requires NXP IC) | Low |
| 3 — Mutual authentication | AES challenge-response with backend | Very low | Moderate |
| 4 — SDM + backend | Encrypted URL params + server verify | Extremely low | Moderate |
The right tier depends on counterfeiting sophistication and scan volume. Luxury goods often deploy Tiers 2–4 simultaneously.
Originality Signatures
originality-signature is an NXP-proprietary feature available in NTAG21x and selected MIFARE products. During manufacturing, NXP's hardware security module signs the chip's 7-byte uid using ECDSA with a 224-bit curve and stores the 56-byte signature in a protected memory area.
Verification flow:
1. Reader retrieves the UID via standard anti-collision.
2. Reader issues a READ_SIG command (custom NXP command, page 0x2C in NTAG21x).
3. Reader verifies the signature against NXP's published ECC public key.
4. A valid signature proves the chip is genuine NXP silicon — it cannot be replicated without NXP's HSM.
Limitation: Originality signatures prove chip authenticity, not product authenticity. A counterfeiter could desolder a genuine NXP chip and resolder it into a fake product. Pair with tamper-evident packaging or mechanical security features.
NTAG DNA and SDM
The ntag-dna (Secure Dynamic Messaging) feature in NTAG 424 DNA chips adds cryptographic freshness to every tap. The chip maintains an internal tap counter and generates an AES-128 CMAC over the UID + counter + arbitrary data on each read. The result is embedded into the NDEF URL as ciphertext.
SDM verification flow:
1. Consumer taps the tag with any NFC smartphone — no app required.
2. The chip generates a unique encrypted URL (e.g., https://auth.brand.com/v?e=A3F2...&c=8B1...).
3. The browser opens the URL. The backend decrypts and verifies the CMAC.
4. The server checks that the counter has incremented monotonically (replay detection) and returns an authentic product page or fraud alert.
This closes the replay attack vector entirely: the ciphertext changes on every tap, so photographing or re-broadcasting a URL does not produce a valid authentication.
Supply Chain Integration
anti-cloning measures must be integrated at the supply chain level to be effective:
- Tag commissioning: Generate unique AES keys per tag, provision into backend database during inlay production.
- Serialization linkage: Bind the NFC UID to the product's serial number and SKU in your PIM/ERP.
- Tamper evidence: Use destructible labels or embedded inlays that break if removed (void labels, tear-on-removal inlays).
- Scan telemetry: Log each mutual-authentication event with timestamp and geolocation. Anomalies (duplicate UIDs, scan clusters in one country for product shipped to another) trigger alerts.
| Supply Chain Stage | NFC Action | Data Captured |
|---|---|---|
| Inlay production | Commission keys + write NDEF | UID, key hash, SKU |
| Packaging / labeling | Verify originality signature | Pass/fail log |
| Warehouse outbound | Scan for tamper check | Location, timestamp |
| Retail POS | Consumer-facing auth scan | Auth result, store ID |
| Consumer tap | SDM backend verification | Counter, geo, device OS |
Use the NFC Chip Selector to filter chips with originality signature and SDM support. For the underlying security architecture, see NFC Security Deep Dive.
Frequently Asked Questions
Our guides cover a range of experience levels. Getting Started guides are written for beginners with no prior NFC knowledge. Programming guides target developers integrating NFC into mobile apps or embedded systems. Security guides are for engineers designing secure NFC deployments for payments, access control, or authentication.
Most guides require only an NFC-enabled smartphone (iPhone 7+ or any modern Android device) and a few NFC tags (NTAG213 or NTAG215 recommended for beginners, available for under $1 each). Advanced guides may reference USB NFC readers like the ACR122U or Proxmark3 for development and testing.
Yes. Programming guides include code examples for Android (Kotlin/Java with the Android NFC API), iOS (Swift with Core NFC), and web-based tools (Web NFC API for Chrome on Android). All code samples are tested and include inline comments explaining each step.