NFC ID Calculation Technical Description

YubiKey for Door Access

The YubiKey 5 NFC can be used for physical access to doors. Essentially, the physical access system reads out the NFC ID from the YubiKey, truncates and parses the NFC ID in different ways, and checks if there is a match to a registered value in a database. If there is a match, the door is unlocked.

NFC ID Calculation for YubiKey v5.2.x and Earlier

For YubiKey with firmware version 5.2.x and earlier, the NFC ID was calculated as follows:

0x88 0x27 0 0 serial_3 serial_2 serial_1 serial_0

where serial_0, serial_1, serial_2 and serial_3 are the four bytes containing information about the YubiKey’s serial number. In other words, serial_x is a byte that contains some of the digits of the serial number, however not a digit in itself.

serial_0 is the most significant digit, ranging to serial_3 which is the least significant digit. The least significant digit (serial_3) changes most frequently, while the most significant digit (serial_0) changes with the lowest frequency.

When a door access system reads out the NFC ID from the YubiKey, the NFC ID may be truncated and reversed in different ways before it is matched to the registered IDs in a database. In some cases, the most significant digits are parsed out and placed first, while the rest of the NFC ID is truncated. Such processing has in some cases resulted in parsed NFC ID values that consist of the most significant digits such as serial_0 and serial_1, which may not be unique for a batch of YubiKeys. In other cases, only 0x27 0 0 are used, which results in non-unique values.

NFC ID Calculation for YubiKey v5.3.0 and Later

For YubiKeys with firmware version 5.3.0 and later, the NFC ID calculation so that the NFC ID is now derived as:

0x88 0x27 serial_3 serial_2 serial_1 serial_0 serial_2 serial_3

Note that two of the four bytes in the serial number are repeated both at the beginning and at the end of the sequence.

For Yubico Security Keys, which do not have serial numbers, the NFC ID is calculated as follows:

0x08 AA BB CC where AA, BB and CC are random bytes.

This updated calculation of the NFC ID ensures unique values, regardless of the parsing direction of the NFC ID, whether from left to right or right to left.

Note

FIDO Reset over NFC on Windows If you have a YubiKey with the PIV capability enabled and you have never reset the FIDO2 application, you might find that your first attempt to reset the FIDO2 application fails with an error message. On the second attempt the application will be reset successfully.


Click for Yubico Support.