MIFARE Classic vs DESFire EV3: Which smart card chip for your ID cards?
If you’re printing ID cards with smart card chips inside, you’ll encounter two names almost immediately: MIFARE Classic and DESFire EV3. Both are made by NXP. Both work with standard card printers. Both can be encoded during printing. But they’re designed for very different use cases.
Here’s how to choose — in plain language.
The short version
MIFARE Classic is a contactless barcode. It stores a small amount of data (an ID number, an organisation code) that a reader can scan quickly. It’s cheap, simple, and works with a huge installed base of existing readers.
DESFire EV3 is more like an encrypted USB drive on a card. It stores more data, encrypts it with AES-128, supports multiple independent applications on a single chip, and each application has its own security keys. It costs more, but it does more.
Side-by-side comparison
| MIFARE Classic 1K | DESFire EV3 | |
|---|---|---|
| Security | Standard (known vulnerabilities in the encryption) | High (AES-128, no published attacks) |
| Usable storage | ~752 bytes | 2,048 – 8,192 bytes |
| Structure | Fixed data blocks | Flexible filesystem (apps, files, permissions) |
| Multi-purpose | One use per card | Multiple independent secured applications |
| Phone readable (NFC) | No (older protocol) | Yes, with app or tap-to-verify configuration |
| Card cost | ~$0.30 – $0.60 AUD | ~$1.00 – $2.50 AUD |
When MIFARE Classic is the right choice
MIFARE Classic has been around since the mid-1990s. It’s everywhere — building access, attendance systems, library cards, campus IDs. If your organisation already has card readers installed, there’s a good chance they speak MIFARE Classic.
Choose MIFARE Classic when:
- You need a scannable ID number for an existing system (door readers, time and attendance)
- Your main goal is identity lookup — the reader scans the card and looks up the person in a database
- You’re issuing cards at high volume and cost per card matters
- You don’t need to store sensitive data on the chip itself
- You’re working with legacy infrastructure that doesn’t support newer chip types
What you can store: Employee or student ID number, organisation identifier, card serial number, role code, issue date. Think of it as a digital version of the barcode on the back of a loyalty card — enough to identify the person, not enough for anything more.
When DESFire EV3 is worth the extra cost
DESFire EV3 is the modern standard for secure smart cards. Each card is essentially a small computer with a filesystem — you create applications, each with their own encryption keys and files. One card can serve multiple systems without them interfering with each other.
Choose DESFire EV3 when:
- You need encryption — data on the card must be protected, not just obscured
- You want multiple applications on one card — ID, library, parking, cafeteria
- You’re in a compliance-sensitive environment (healthcare, government, aged care, NDIS)
- You want NFC tap-to-verify — write a URL to the card that any phone can read
- You need offline verification — store enough data on the card to verify identity without network access
- You’re building a campus or multi-site system where the card serves multiple independent purposes
What you can store: Structured identity payload (name, ID, organisation, role, expiry dates), photo hash for offline verification, credential metadata, access zone lists, a tap-to-verify URL, and multiple independent application payloads.
The multi-purpose card advantage
This is where DESFire EV3 genuinely earns its premium. On a MIFARE Classic card, the entire chip is one flat block of data. Every system that reads the card sees the same thing.
On a DESFire EV3 card, each application is independently secured:
| Application | Purpose | Key holder |
|---|---|---|
| App 1 (NFC) | Tap-to-verify URL | Public — any phone can read it |
| App 2 (CaptrID) | Identity data + photo hash | Your organisation |
| App 3 (Library) | Library patron ID | Library system vendor |
| App 4 (Access) | Building access zones | Access control vendor |
The library system can’t read the access control data. The access control system can’t modify the identity payload. Each application is a sealed compartment with its own keys. You print the card once, and each system writes to its own space independently.
What about NFC tap-to-verify?
DESFire cards can store a verification URL in a format that any NFC-enabled phone can read without an app. When someone taps the card on their phone, the browser opens and shows the holder’s verified identity.
This bridges the gap between physical and digital credentials. The printed card looks like a normal ID card. But it also works as a digital pass — tap it on a phone, and you get the same verified identity page as scanning a QR code on a wallet ID.
MIFARE Classic can’t do this. Its older protocol isn’t supported by phone NFC readers. If tap-to-verify matters to you, that alone may justify DESFire.
A note on security
MIFARE Classic uses an encryption scheme called Crypto-1 that has been publicly broken since 2008. This doesn’t mean MIFARE Classic cards are useless — it means you shouldn’t store sensitive data on the chip and expect the encryption to protect it. For simple identity lookup (scan the card, look up the person in a database), MIFARE Classic is perfectly functional.
DESFire EV3 uses AES-128 — the same encryption standard used in online banking and government communications. If someone gets hold of a DESFire card, they can’t read the encrypted data without the correct application keys.
For most organisations, the practical difference is this: MIFARE Classic is fine for “scan and look up”. DESFire EV3 is necessary for “the card itself is the credential”.
What most organisations should do
If you’re starting fresh with no existing infrastructure:
- Under 500 people, simple ID needs → MIFARE Classic. Low cost, gets the job done.
- Compliance requirements, multiple systems, or NFC tap-to-verify → DESFire EV3. Worth the $1-2 premium per card.
- Already have MIFARE Classic readers installed → MIFARE Classic, unless you have a specific reason to migrate.
If you’re running both physical cards and digital wallet IDs (which is increasingly common), DESFire EV3 with tap-to-verify gives you the best of both worlds — a physical card that doubles as a digital credential.
CaptrID handles both
CaptrID encodes both MIFARE Classic and DESFire EV3 chips during the print process. You select people from your roster, choose your card template, and the card comes out printed and encoded in a single pass. The chip’s unique identifier is stored against the person’s record automatically.
Pick the card technology that fits your use case, and CaptrID handles the encoding.
CaptrID prints and encodes smart cards from the browser. See how card printing works or start a free trial.