Skip to content
MIFARE 13.56 MHz Secured credential

MIFARE DESFire EV3 Compatible Cards & Fobs

MIFARE DESFire EV3 is NXP's current-generation flagship smart card — EAL5+ certified, AES-128 only (single DES removed), with Secure Unique NFC messaging, 1 million write cycles, and extended read range — not cloneable, recommended for all new high-security deployments.

Quote MIFARE DESFire EV3 cards View specs

MIFARE DESFire EV3 operates at 13.56 MHz per ISO/IEC 14443 Type A with an EAL5+ certified secure element and an AES-128-only cipher suite (legacy DES removed), supporting unlimited simultaneous applications, Transaction MAC write integrity, proximity check anti-relay protection, and Secure Unique NFC (SUN) messaging that generates a per-tap cryptographically signed NDEF payload verifiable by a backend without dedicated reader hardware. American Key Cards supplies DESFire EV3 blank and unencoded for new installations — no existing secured EV3 credential can be copied or cloned, and AKC does not hold or require access to any operator application keys.

MIFARE DESFire EV3 specifications

Brand / OEM
NXP Semiconductors
Technology
Contactless smart card (ISO/IEC 14443 Type A, ISO 7816)
Frequency
13.56 MHz
Chip
NXP MF3D(H)x3; 2K (MF3D23), 4K (MF3D43), 8K (MF3D83) variants; AES-128 hardware encryption (3DES legacy supported, DES removed); EAL5+ Common Criteria certified; 7-byte UID; SUN (Secure Unique NFC) messaging; 1 million write-cycle endurance
Bit formats
Proprietary NXP DESFire application-layer encoding (AES-128 per application), 26-bit Wiegand (via reader-side CSN extraction), 37-bit Wiegand (via reader-side CSN extraction), OSDP v2 (reader-dependent), SUN (Secure Unique NFC) authenticated URL output for NFC phone tap
OEM part numbers
MF3D23, MF3D43, MF3D83, MF3DH23, MF3DH43, MF3DH83

Honest note: MIFARE DESFire EV3 is a secured credential

MIFARE DESFire EV3 cannot be cloned. EAL5+ certified secure element with AES-128 — single DES is removed (further hardening over EV2). Adds Secure Unique NFC (SUN) messaging: each tap generates a cryptographically signed, unique authentication code usable for backend verification without a dedicated reader. American Key Cards supplies blank, unencoded DESFire EV3 cards for new deployments and encoding infrastructure; existing secured credentials cannot be duplicated by any party without the operator's AES application keys. If you're deploying a new system or need standard prox credentials your readers also accept, contact us and we'll tell you exactly what's possible.

Can MIFARE DESFire EV3 cards be copied?

No. MIFARE DESFire EV3 relies on secure encryption, so it cannot be cloned from an existing card. This is a security strength, not a limitation of our service.

Where MIFARE DESFire EV3 is used

  • New enterprise and government access control deployments
  • NFC mobile credential hybrid deployments (SUN tap-to-web authentication)
  • Campus multi-application smart ID replacing older DESFire EV1/EV2
  • Healthcare and pharmaceutical facility high-assurance access
  • Transit fare media requiring 1 million write-cycle card longevity
  • Secure building access replacing HID iCLASS SE or Seos

Compatible readers

HID multiCLASS SE RP40 readers with DESFire EV3 credential supportAllegion aptiQ multi-technology readersLenelS2 BlueDiamond multi-tech readers (EV3 support)Dormakaba DESFire EV3-capable readersGallagher Command Centre DESFire EV3 readersHID OMNIKEY 5427 CK / 5022 desktop encoding readersStandard NFC-enabled smartphones (SUN messaging via NDEF)

Related formats

You might also need

MIFARE

MIFARE DESFire EV2

MIFARE DESFire EV2 is NXP's second-generation multi-application secure card with EAL5+ certification, AES-128 encryption, anti-relay proximity check, and Transaction MAC — not cloneable, widely deployed in enterprise and government access control.

13.56 MHz Secure
View compatible cards
HID Rare format

HID Seos

HID Seos is HID Global's current flagship smart card credential, delivering AES-128 encryption, Common Criteria EAL 5+ hardware, and SIO Data Binding — making it immune to all known cloning attacks.

13.56 MHz Secure
View compatible cards
MIFARE

MIFARE Plus

MIFARE Plus is NXP's drop-in AES-128 upgrade path for MIFARE Classic infrastructure, offering backward-compatible SL1 mode (readable by Classic readers) and fully secure SL3 mode (AES-128, not cloneable) on a single card platform.

13.56 MHz Secure
View compatible cards

MIFARE DESFire EV3 — FAQ

Can MIFARE DESFire EV3 cards be cloned?

No. DESFire EV3 is EAL5+ certified with AES-128 hardware encryption — single DES support has been removed, tightening the cipher suite further than EV2. The application keys never leave the secure element. There is no known attack allowing a secured EV3 credential to be cloned. AKC supplies blank cards only.

What does DESFire EV3 add over EV2?

EV3 adds Secure Unique NFC (SUN) messaging — each card tap generates a cryptographically unique, verifiable NDEF URL without requiring a dedicated reader, enabling tap-to-verify use cases with a smartphone. It also removes legacy single-DES support, doubles write endurance to 1 million cycles, and extends read range to approximately 26 mm (vs 22 mm on EV2). EV3 is fully backward compatible with EV1 and EV2 readers.

Is DESFire EV3 compatible with my existing DESFire EV1 or EV2 readers?

Yes — DESFire EV3 is backward compatible with EV1 and EV2 at the protocol and application level. Existing readers that support DESFire will communicate with EV3 cards; whether EV3-specific features like SUN messaging are available depends on reader firmware.