UHF RFID Security Measures


Class 1 Gen 2 UHF RFID Tags. The gaps in usage of UHF tags were even more pronounced before the release of Class 1 Gen 2 in 2004, because previous versions such as Class 1 Gen 1 contained virtually no security features.

Called “Gen 2” for short, the Class 1 Gen 2 protocol was released in order to create a single global standard for interoperability. Because the standard was created primarily to unify tag and hardware manufacturers under one global standard, security measures were auxiliary in production, but still managed to answer to newly emerging issues. A burst of security and authentication problems arose some pre- but mostly post-2004, forcing EPCglobal and ISO to respond with increased security measures on UHF tags in both the Gen 2 standard and the newly released G2V2 standard.

Security Breaches

Security breaches started as low-scale threats like hackers reading tags and obtaining private information, but they have grown into seven large global threats to UHF RFID security. To be addressed in a later post, these seven threats include hacking events like spoofing, reverse engineering, and eavesdropping. Current Gen 2 tags do not have the capability to thwart all threats, but two security measures in particular were developed and applied to UHF Gen 2 tags in order to provide the first layer of protection against hackers – serialized TID numbers and passwords.

TID Numbers

When the Gen 2 standard was released, it introduced serialized Transponder ID (TID) numbers for identification purposes. While initially the concept of serialized TID numbers was intended for identification purposes (manufacturer’s codes, etc.), the TID became widely used for the purpose of authentication once cloning tags became achievable. TID numbers, unlike EPC numbers, are locked after being written at the factory and as a general rule cannot be tampered with. Generally, to authenticate a tag that is suspected to be fake, read the EPC memory bank and the TID memory bank and record both numbers.


Two password functionalities are currently available on Class 1 Gen 2 tags: the access password and the kill password. Both passwords are stored on the reserved memory block and come pre-encoded with zeros, which do not function as an access or kill code.

Access Code

The access code on UHF Gen 2 tags must be written in order to be used. Once written, the access code is stored on the reserved memory bank along with the kill code and prevents anyone from changing the ‘lock’ state without first sending the 32-bit code. Four lock states exist on each memory bank:

  1. Unlocked
  2. Perma-unlocked (can never be locked)
  3. Locked
  4. Perma-locked (can never be unlocked)

The access code can also prevent readers from reading the reserved memory bank if it is locked. “Locking” the memory bank enables it only to be read when the reader interrogates it first with the access code, and is the first layer of security generally used with UHF tags. After the access code has been written and the selected memory bank has been locked, the next step is to lock the access password so that users cannot simply re-write it. It is important to note that a small piece of software is usually required in order for the reader to interrogate the tag using the access password. For specifics on locking RFID tags, read Locking Memory on EPC Gen2 RFID Tags.

Kill Code

The kill code is used primarily for applications that require tags to change state (or phase) to indicate a specific event has occurred. Applications like retail benefit from the kill code because once an item is purchased the tag can be killed, making it permanently unreadable. If this method is used, a reader is generally set up at the register to send the kill code after checkout. Using this state change, retailers are able to know if an item was actually purchased versus stolen if it is returned.

The Future – G2V2

Ever since the first details were released about the new G2V2 standard, the idea of security with UHF RFID tags has changed drastically. The new standard takes UHF tags into the 21st century - from two small security measures on Gen 2 tags, to intricate anti-counterfeiting measures and security privileges on G2V2. EPCglobal and ISO were able to step up security and anti-counterfeiting for this new standard by using encryption and cryptologic keys.

While enhanced security measures along with the other three new features are revolutionary, these features are not required on all G2V2 tags. The chips will be customizable based on which features the application needs. For example, if a manufacturing application needed enhanced user memory on tags in order to store increased information but did not need cryptographic authentication, EAS functionality, or the ability to be untraceable, the users can purchase the tag with that one feature alone. Allowing these tags to be customizable (16 combinations) enables them to be cheaper because one-feature chips will be cheaper than chips with all four features.

Even though allowing the chips to be customizable is cost-effective, it adds a huge barrier in the production timeline and availability. Because manufacturers cannot predict which combination will produce the biggest return-on-investment, virtually no G2V2 chips have been put into production as of mid-2016. Back in 2014, it was estimated these chips would be put into production and available in different tag formats for purchase by early 2016; but until the demand grows and large companies place significant orders, these tags will not likely be available in the near future.


For more information on Gen 2 security measures, or Gen 2 V2, comment below or contact us for more information.

For more information on all things RFID, check out our RFID resources page or our YouTube channel.

To learn more about RFID security, check out the links below!