Certain NFC chip types have the ability to restrict access to writing to an NFC tag‘s memory by requiring a password. In general, NFC tags deployed publicly should not allow unprotected writing as it allows hackers to change the contents of the tag’s memory to perform an alternate and likely unwanted action. Password protecting is one of the solutions to this problem, although there are some issues with it.
NXP NTAG Series
The NXP NTAG series of NFC chips (NTAG210, NTAG213, NTAG216…) have a feature to allow for password protecting of user memory. When enabled, a 32 bit secret password is used to allow access to write to user memory. The default state of the NTAG chips is for password protection to be disabled. Note that a 32 bit secret only provides limited security; if stronger security is needed, application-level encryption should be used.
There are several issues with using password protection features to limit write access:
- Limited security strength due to small key sizes
- Physical access to the tag is required to change the user memory, which might not be possible or practical
- Limited device and operating system support. In order to access the password protection features of the NFC chip, direct access to the NFC chip is required. This direct access is not available in Apple’s iOS or on Windows when using PC/SC.
- Each chip type series has its own solution to password protection; locking the project in to that chip type
For some use cases, it’s better to use an online tag management platform to allow for the tag’s action to be remotely changed while the user memory of the tag is permanently locked. This resolves all of the above issues and enables other features. Essentially this is moving to the solution to the cloud software instead of the tag, which is generally good practice.
Given the limitations of password protection, the GoToTags software does not support password protection features.