NFC ID Calculation Technical Description
YubiKey for Door Access
The YubiKey 5 NFC can be used for physical access to doors. Essentially, the physical access system reads out the NFC ID from the YubiKey, truncates and parses the NFC ID in different ways, and checks if there is a match to a registered value in a database. If there is a match, the door is unlocked.
NFC ID Calculation for YubiKey v5.2.x and Earlier
For YubiKey with firmware version 5.2.x and earlier, the NFC ID was calculated as follows:
0x88 0x27 0 0 serial_3 serial_2 serial_1 serial_0
where serial_0
, serial_1
, serial_2
and serial_3
are the four bytes containing information about the YubiKey’s serial number. In other words, serial_x
is a byte that contains some of the digits of the serial number, however not a digit in itself.
serial_0
is the most significant digit, ranging to serial_3
which is the least significant digit. The least significant digit (serial_3
) changes most frequently, while the most significant digit (serial_0
) changes with the lowest frequency.
When a door access system reads out the NFC ID from the YubiKey, the NFC ID may be truncated and reversed in different ways before it is matched to the registered IDs in a database. In some cases, the most significant digits are parsed out and placed first, while the rest of the NFC ID is truncated. Such processing has in some cases resulted in parsed NFC ID values that consist of the most significant digits such as serial_0
and serial_1
, which may not be unique for a batch of YubiKeys. In other cases, only 0x27 0 0
are used, which results in non-unique values.
NFC ID Calculation for YubiKey v5.3.0 and Later
For YubiKeys with firmware version 5.3.0 and later, the NFC ID calculation so that the NFC ID is now derived as:
0x88 0x27 serial_3 serial_2 serial_1 serial_0 serial_2 serial_3
Note that two of the four bytes in the serial number are repeated both at the beginning and at the end of the sequence.
For Yubico Security Keys, which do not have serial numbers, the NFC ID is calculated as follows:
0x08 AA BB CC
where AA
, BB
and CC
are random bytes.
This updated calculation of the NFC ID ensures unique values, regardless of the parsing direction of the NFC ID, whether from left to right or right to left.
Note
FIDO Reset over NFC on Windows If you have a YubiKey with the PIV capability enabled and you have never reset the FIDO2 application, you might find that your first attempt to reset the FIDO2 application fails with an error message. On the second attempt the application will be reset successfully.
Click for Yubico Support.