MIFARE 13.56 MHz Secured credential

MIFARE DESFire EV2 Compatible Cards & Fobs

MIFARE DESFire EV2 is NXP's second-generation multi-application secure card with EAL5+ certification, AES-128 encryption, anti-relay proximity check, and Transaction MAC — not cloneable, widely deployed in enterprise and government access control.

Quote MIFARE DESFire EV2 cards View specs

MIFARE DESFire EV2 operates at 13.56 MHz per ISO/IEC 14443 Type A with an EAL5+ certified secure element supporting unlimited simultaneous applications, each secured by independent AES-128 or 3DES keys with per-application cryptographic settings and Transaction MAC write-integrity verification. American Key Cards supplies DESFire EV2 cards blank and unencoded for new deployments — no existing secured credential can be copied or cloned, as the operator's application keys never leave the card's secure element during any transaction.

MIFARE DESFire EV2 specifications

Brand / OEM
NXP Semiconductors
Technology
Contactless smart card (ISO/IEC 14443 Type A, ISO 7816)
Frequency
13.56 MHz
Chip
NXP MF3DX2 (standard) / MF3DHX2 (high-temp); 2K, 4K, and 8K memory variants; AES-128 and 2K3DES/3K3DES hardware; EAL5+ Common Criteria certified; 7-byte UID; proximity check anti-relay feature
Bit formats
Proprietary NXP DESFire application-layer encoding (per-application AES/3DES), 26-bit Wiegand (via reader-side CSN extraction), 37-bit Wiegand (via reader-side CSN extraction), OSDP v2 (reader-dependent)
OEM part numbers
MF3DX2_MF3DHX2, MF3D22, MF3D42, MF3D82, MF3DH22, MF3DH42, MF3DH82

Honest note: MIFARE DESFire EV2 is a secured credential

MIFARE DESFire EV2 cannot be cloned. EAL5+ certified secure element with AES-128 mutual authentication — application keys never leave the chip. EV2 adds Transaction MAC (cryptographic proof of write completion) and proximity check (anti-relay/anti-man-in-the-middle) over EV1. American Key Cards supplies blank, unencoded DESFire EV2 cards for new deployments; existing secured credentials cannot be duplicated by any party without the operator's application keys. If you're deploying a new system or need standard prox credentials your readers also accept, contact us and we'll tell you exactly what's possible.

Can MIFARE DESFire EV2 cards be copied?

No. MIFARE DESFire EV2 relies on secure encryption, so it cannot be cloned from an existing card. This is a security strength, not a limitation of our service.

Where MIFARE DESFire EV2 is used

  • Enterprise and corporate campus access control
  • Government and municipal facility access with anti-relay protection
  • University multi-application smart ID (access + logical + payment)
  • Healthcare facility access and staff ID
  • Transit fare media requiring Transaction MAC integrity
  • Secure NFC-enabled building access replacing HID iCLASS

Compatible readers

HID multiCLASS SE RP40 readers with DESFire credential supportAllegion aptiQ multi-technology readersLenelS2 BlueDiamond multi-tech readers (EV2 support)Dormakaba DESFire EV2-capable readersGallagher Command Centre DESFire readersIDEMIA MorphoAccess SIGMA readersHID OMNIKEY desktop encoding readers

Related formats

You might also need

MIFARE

MIFARE DESFire EV1

MIFARE DESFire EV1 is NXP's first-generation multi-application secure smart card, offering AES-128 and 3DES hardware encryption at 13.56 MHz with EAL4+ certification — not cloneable, suitable for legacy high-security deployments, but superseded by EV3 for new installations.

13.56 MHz Secure
View compatible cards
MIFARE

MIFARE DESFire EV3

MIFARE DESFire EV3 is NXP's current-generation flagship smart card — EAL5+ certified, AES-128 only (single DES removed), with Secure Unique NFC messaging, 1 million write cycles, and extended read range — not cloneable, recommended for all new high-security deployments.

13.56 MHz Secure
View compatible cards
HID Rare format

HID Seos

HID Seos is HID Global's current flagship smart card credential, delivering AES-128 encryption, Common Criteria EAL 5+ hardware, and SIO Data Binding — making it immune to all known cloning attacks.

13.56 MHz Secure
View compatible cards

MIFARE DESFire EV2 — FAQ

Can MIFARE DESFire EV2 cards be cloned?

No. DESFire EV2 is EAL5+ certified with AES-128 mutual authentication — the application keys are stored in a hardware secure element and never transmitted. There is no known attack that allows cloning of a properly secured EV2 credential. AKC supplies blank cards only; we cannot duplicate an existing encoded card.

What does DESFire EV2 add over EV1?

EV2 raises the security certification from EAL4+ to EAL5+, removes the 28-application limit (now effectively unlimited), adds Transaction MAC (a cryptographic proof that a write operation completed successfully), and introduces a proximity check to prevent relay attacks. EV2 is backward compatible with EV1 readers.

Do you sell pre-programmed DESFire EV2 cards?

We supply DESFire EV2 in blank factory state. Application encoding requires your operator-held AES or 3DES keys, which your access control software or integrator manages. Shipping pre-encoded cards would require access to your security keys — which is not something a card supplier should hold.