Contact us

One Card for Login and Door Access: DESFire EV3 and FIDO2 Under NIS2

by Rasmus Jensen, Founder & Software Engineer

In many organizations—especially municipalities and other public bodies—identity and access are still split into two worlds:

  • One system for IT login
  • Another system for physical access (PACS)

These systems are often run separately—both technically and organizationally. At the same time, NIS2 takes effect in Denmark on 1 July 2025, raising the bar for access control, strong authentication, risk management, incident handling, and documentation.

This article shows how a combined MIFARE DESFire EV3 and FIDO2 card unifies digital and physical access into one security model—and why that matters for NIS2.

From UID Cards to Cryptographic Identity

Traditional access cards—especially MIFARE Classic—typically just present a UID (a static serial number), which leads to well-known issues:

  • The UID is unencrypted
  • The UID can be copied or emulated
  • No cryptographic binding between card and system
  • No protection against replay or cloning

In practice, the card is just a number rather than an identity—an increasingly weak position as physical and digital threats converge.

DESFire EV3 Changes the Base Layer

MIFARE DESFire EV3 is designed for high-assurance environments (public sector, critical infrastructure) and supports:

  • AES-based encryption
  • Application and key segmentation
  • Secure messaging
  • Secure Dynamic Messaging (SDM)

The card becomes an active cryptographic component, enabling a risk-based model with verifiable authenticity—not just presence.

FIDO2: Passwordless Login for IT Systems

FIDO2 (WebAuthn) is widely recommended by European and national cybersecurity authorities. It delivers:

  • Passwordless login
  • Cryptographic binding of user, device, and service
  • Strong phishing resistance
  • Support for hardware and platform authenticators

In a NIS2 context this matters because compromised credentials remain a leading source of incidents.

One Card—Two Domains

The opportunity arises when DESFire EV3 and FIDO2 live on one employee card:

  • FIDO2 for IT login
  • DESFire EV3 for physical access
  • Central rights based on identity and roles
  • Consistent offboarding across both domains

This reduces inconsistent access and manual processes—common weaknesses in audits and risk reviews.

Secure Dynamic Messaging (SDM): Validation Without PACS Access

A key DESFire EV3 feature is Secure Dynamic Messaging (SDM). On a scan the card generates a dynamic URL that can include:

  • Card identity

  • A running counter

  • A cryptographic MAC

  • Optional application data The data is verified server-side. In practice SDM enables:

  • Authenticity checks via a regular smartphone

  • Field verification without direct PACS access

  • Detection of copied or manipulated cards

  • Mobile and decentralized workflows

Useful for institutions, temporary locations, or scenarios without full system access.

Why MIFARE Classic Is Not a Modern Choice

MIFARE Classic is cryptographically broken and common in legacy installs:

  • Broken encryption
  • Easy emulation with cheap hardware
  • No real authentication
  • Weak traceability With NIS2, it is hard to argue that MIFARE Classic represents acceptable residual risk when stronger options exist.

Migration: Cost Today, Risk Reduction Tomorrow

Moving from MIFARE Classic to DESFire EV3 can mean:

  • Replacing cards
  • Upgrading readers
  • Adapting backends and processes

But it also yields:

  • Removal of known vulnerabilities
  • Fewer compensating controls
  • Better alignment between physical and logical security
  • Stronger evidence in risk assessments and audits

For NIS2, see migration as strategic risk reduction, not just a technical upgrade.

NIS2 Alignment

A solution built on DESFire EV3, SDM, and FIDO2 directly supports core NIS2 principles:

  • Strong authentication
  • Controlled access to critical assets
  • Coherent physical and digital security
  • Reduced attack surface
  • Improved audit and incident evidence

That makes it highly relevant for organizations that must document both technical and organizational controls after NIS2 enters into force.

Closing

When identity is applied consistently—digitally and physically—you get a more robust, transparent, and auditable security model.

A combined DESFire EV3 card with Secure Dynamic Messaging and FIDO2 is more than an access badge. It is a foundation for modern access control that matches today’s threats and the coming regulatory demands.

More articles

Why We Built a Self-Hosted FOSS Infrastructure in the EU

A strategic decision by a Danish software company to replace Big Tech SaaS with a self-hosted FOSS platform in the EU, reducing costs, eliminating vendor lock-in, ensuring EU data residency, and supporting ISO 27001.

Read more

Tell us about your project

Contact us

Our office

  • Næstved
    Næstved Mosevej 9
    4700, Næstved, Denmark