HID iCLASS SE vs Seos: Security Differences Explained
HID iCLASS SE and Seos are the two most secure physical access credentials HID Global produces, and neither can be cloned, copied, or sourced from third-party suppliers including American Key Cards. Both use AES-128 encryption and a Common Criteria EAL 5+ certified secure element — but they differ in their underlying hardware standard, their NFC capability, and where they fit in a long-term security strategy. If you are researching which platform to deploy or upgrade to, this comparison gives you an honest, technically grounded answer.
What iCLASS SE and Seos Have in Common
Before examining the differences, it is worth being clear about the security floor both platforms share. Neither iCLASS SE nor Seos is cloneable by any publicly known method. This is not a marketing claim — it is a direct consequence of how credential data is stored and authenticated on both platforms.
Both use Secure Identity Objects (SIOs) — encrypted, digitally signed data containers that hold the actual access credential. An SIO is not simply an encrypted payload you could copy to another chip. SIO Data Binding cryptographically ties the credential to the specific silicon it was issued on. Even if an attacker captured the full raw card transmission, the data would be inextricably linked to the original chip’s unique identifier and could not be replayed or transplanted.
Both platforms also support AES-128 mutual authentication, meaning the reader must prove its identity to the card before the card responds with any credential data. This eliminates the risk of rogue reader attacks that affected the older iCLASS legacy platform.
For organizations coming from legacy iCLASS (which used DES-based encryption and was shown to have practical vulnerabilities), either SE or Seos represents a fundamental security improvement, not an incremental one.
HID iCLASS SE: The Details
iCLASS SE (3000 series part numbers: 3000, 3002, 3003, 3004, 3050, 3100, 3150, 3250, 3300, 3350) operates at 13.56 MHz using the ISO 15693 / ISO 14443B air interface. It was introduced in 2011 as HID’s answer to the demonstrated vulnerabilities in legacy iCLASS, and it achieved a complete architectural change — not a patch.
The SE chip is a dedicated secure element certified to Common Criteria EAL 5+, with an AES cryptographic co-processor. Credential programming requires HID’s issuance infrastructure, which means credentials must be enrolled through an authorized system integrator. The 3100 part number adds a 125 kHz HID Prox layer to the same card body, making it a dual-technology credential useful for facilities in the middle of a reader migration.
iCLASS SE supports any HID bit format (26-bit H10301, 37-bit H10302 / H10304, Corporate 1000 35-bit, and others) — all SIO-encoded and field programmable within the platform’s issuance workflow.
Compatible SE readers include:
- HID iCLASS SE R10 (
900), R15 (910), R40 (920) - HID multiCLASS SE (
940) - HID Signo 20, 25, and 40
- HID iCLASS SE Express readers
- Third-party readers with an HID SIO Processor module
HID Seos: The Higher Tier
HID Seos (5000 series: 5005, 5006, 5015, 5016, 5266 key fob) runs on a 13.56 MHz ISO/IEC 14443 Type A chip — the same standard used in NFC contactless payment cards and modern transit credentials. This hardware choice is significant: ISO 14443A is the dominant NFC standard on smartphones, which is why Seos powers HID Mobile Access, HID’s mobile credential platform.
The Seos secure element is also Common Criteria EAL 5+ certified and uses AES-128 mutual authentication and SIO Data Binding — the same SIO framework as iCLASS SE, but on a newer chip platform with ISO 14443A compliance. In practice, this means Seos can operate over NFC on an iPhone or Android device using HID Mobile Access, not just on a physical card. A facility can issue a Seos credential either on a physical card (5006 or 5005) or to a mobile device through the HID Origo platform, and both work on the same readers.
The 510x series adds a 125 kHz Prox layer to a Seos card, serving the same migration-bridging role as the SE 3100 part.
Seos is the correct choice for:
- New high-security deployments where mobile credentials may be needed in the future
- Federal, financial, healthcare, or critical infrastructure environments
- Organizations planning to consolidate physical and mobile credentials on a single platform
- Any site deploying HID Signo readers, which are Seos-native
Head-to-Head Comparison
| Feature | iCLASS SE | Seos |
|---|---|---|
| Frequency | 13.56 MHz | 13.56 MHz |
| Air interface | ISO 15693 / ISO 14443B | ISO/IEC 14443 Type A |
| Chip security | Common Criteria EAL 5+ | Common Criteria EAL 5+ |
| Encryption | AES-128, SIO | AES-128, SIO Data Binding |
| Mobile credential (NFC/BLE) | No | Yes (HID Mobile Access) |
| Cloneable | No | No |
| Physical card part numbers | 3000, 3002, 3003, 3004, 3050 | 5005, 5006, 5015, 5016 |
| Dual-technology (+ 125 kHz prox) | 3100, 3150 | 510x series |
| Key fob | 3250 (Key Fob II) | 5266 |
| Reader compatibility | SE R10/R15/R40, multiCLASS SE, Signo | SE R10/R15/R40, multiCLASS SE, Signo |
| Third-party supply | Not possible | Not possible |
Both platforms read on the same current HID reader lineup, which simplifies infrastructure decisions. If your readers are HID SE-series or Signo, you can deploy either credential type without hardware changes.
Why Neither Can Be Sourced from Third Parties
This point is worth being explicit about, because some buyers assume that any smart card can be programmed with the right data if you have a compatible blank.
That assumption is correct for unencrypted 125 kHz credentials like standard HID Prox, AWID, or Kantech ioProx cards — see our HID iCLASS SE format guide for a full breakdown of the SE platform’s structure. It is not correct for iCLASS SE or Seos.
The credential payload on an SE or Seos card is:
- AES-encrypted, so the data itself cannot be read without the facility key
- Digitally signed as an SIO, so a tampered or copied payload is rejected by the reader
- Bound via SIO Data Binding to the chip’s unique identifier, so the payload cannot be transplanted to a different chip even if extracted
Enrollment requires HID’s Trusted Identity Platform and a facility-specific key set managed by your authorized HID dealer or system integrator. American Key Cards is not affiliated with HID Global and cannot produce, program, or re-encode iCLASS SE or Seos credentials. Any vendor claiming to sell compatible SE or Seos cards without HID issuance infrastructure is either selling something that will not work, or misrepresenting the product.
What American Key Cards Can Help With
Although we cannot supply iCLASS SE or Seos credentials directly, we are a useful resource at two points in your credential management process.
Identification: If you need to confirm which exact part number your system uses, we can help you cross-reference OEM part numbers (3000 through 3350 for SE, 5005 through 5266 for Seos) against your reader model and deployment history.
Migration planning: Many facilities that reach out about SE or Seos replacements are running a mixed fleet — some doors on legacy iCLASS, some on SE. For the doors and systems still using unencrypted 125 kHz formats, American Key Cards supplies compatible programmed credentials at competitive pricing. See our pages on iCLASS SR credentials and standard HID Prox cards if your facility uses those alongside an SE or Seos deployment.
Referral: We can refer you to authorized HID channel partners who have the issuance infrastructure to program replacement SE or Seos credentials for your facility.
Which Format Should You Choose?
If you are deploying new readers and credentials from scratch: choose Seos. It is the current-generation platform, it supports mobile credentials, and HID’s Signo reader line is designed around it. There is no reason to start a new deployment on the older SE platform unless you have specific infrastructure constraints.
If you have an existing iCLASS SE installation and functioning SE readers: stay on SE unless you have a specific reason to upgrade. Your existing reader infrastructure already supports SE credentials, and SE provides the same clone-proof security for physical card use cases. Upgrade to Seos when you are ready to deploy mobile credentials or when your readers reach end of life and you are replacing them with Signo hardware.
If you are still on legacy iCLASS (the pre-2011 DES-based platform): plan a migration to SE or Seos. The standard-keyed legacy platform has documented vulnerabilities, and inexpensive tools can clone standard-keyed legacy cards. Elite-keyed legacy iCLASS offers improved protection but does not reach the security level of SE or Seos.
For questions about identifying your current HID format or planning a phased migration, contact American Key Cards. We can help you map your existing credential inventory and identify which doors are on legacy formats where compatible aftermarket credentials may be an option during the transition.
Frequently asked questions
Can HID iCLASS SE or Seos cards be cloned?
No. Both iCLASS SE and Seos use AES-based mutual authentication and a Common Criteria EAL 5+ certified secure element. Credential data is cryptographically bound to the specific chip through Secure Identity Objects (SIOs). There are no publicly known successful cloning attacks against either platform as of 2025. American Key Cards does not offer and cannot perform cloning services for either credential type.
What is the main security difference between iCLASS SE and Seos?
iCLASS SE uses the ISO 15693 / ISO 14443B air interface and introduced SIO technology and AES encryption as a major upgrade from legacy iCLASS. Seos goes further: it runs on ISO/IEC 14443 Type A silicon with a Common Criteria EAL 5+ certified chip, supports NFC mobile delivery via HID Mobile Access, and uses SIO Data Binding to lock credentials to the specific chip with no known public attack surface. Seos is the higher-tier platform for new deployments.
Do I need to replace my readers to upgrade from iCLASS SE to Seos?
Not necessarily. HID SE-series readers (models 900, 910, 920, 940) and Signo readers support both iCLASS SE and Seos credentials in their standard configuration. A firmware or configuration update through your integrator is typically all that is required. Legacy iCLASS-only readers cannot read either format without hardware replacement.
Can American Key Cards supply iCLASS SE or Seos replacement cards?
No. Neither iCLASS SE nor Seos cards can be produced or re-encoded by third-party suppliers. Both require enrollment through HID's Trusted Identity Platform by an authorized dealer or system integrator. American Key Cards can help you identify the correct blank card part number (such as 3000 or 5006) and refer you to an authorized HID channel partner for programming.
