Password Protecting an NFC Tag

Seritag have now added the option to request password protected encoding. This article examines what it is and how it can be used. 

Normal locking

When normal NFC tags - such as the NTAG213, NTAG215 and ICODE SLIX - are encoded, it's also possible to lock the tags so that the data cannot be changed. This is essential for anyone using the tags in public areas. If the tags are left unlocked, anyone with a mobile phone can then change the data and then lock the tags themselves. 

However, locking tags is permanent. Nobody, even Seritag, can change the data on a locked tag. 

Dynamic links

The problem arises when you want to change where the tags link to. As you can't change the data on a locked tag, the normal solution is to use tag management software like our ixkio platform. 

With tag management, the tags are encoded directly to the management platform and then locked. When scanned, the tags direct to the management server and the user is then instantly redirected to the final web page destination. This means that data on the tag doesn't need to be changed, only the final destination in the tag management platform. 

However, this system doesn't work for everyone and only works when you are encoding a weblink onto the tags. If you are encoding text, it doesn't work. 

Enter... Password Protection

This is where password protection comes in. Instead of locking the NFC tag, we encode the tag so that the data is locked to a password. Anyone can read the tag, but the data can only be changed when using the password. Effectively, the tag is write protected. 

Password Protection allows NFC tags in public locations to be secure, but re-writable

Seritag are now offering password protection as a locking option on NTAG213 tags when we handle the encoding. It's not available on all tags yet, but will be over the coming months. To order online, you can enter your chosen password after selecting Seritag encoding.

Passwords for NTAG213 NFC Tags are four hexadecimal bytes which means 8 characters in the range of zero to nine and A to F. For example, the password could be : AB 12 D3 F9. Other characters are not allowed. 

Failed Password Attempts

When encoding with password protection, it's possible to also set the number of failed password attempts before the tags are permanently locked. There's quite a small limit on this - up to seven times. There's some debate about the best approach. 

If you use the failed attempt option, then it would be possible for someone, perhaps mischievously, to use an app to access the password incorrectly just seven times - which would permanently lock your tag. Your tag would still scan, but you wouldn't be able to change the data. 

On the flip side, if you don't limit, then it would be possible for a reader to 'brute force' attack the tag and go through all the combinations to attempt an unlock. However, consider that NXP's datasheet states that it takes 627 microseconds for the tag itself to respond. On top of this, you need to consider all the additional communication overhead and the time for the reader to activate and process the data. Realistically, you would be lucky to do 100 attempts per second with good hardware. With a phone, it could be a fraction of that. There's 4.3 billion possible combinations so even at 100 per second, it would take over a year - non stop. With a phone, it would take many, many years. 

Clearly, you might get lucky and get the password on the first attempt but on average, this isn't something that's going to be easy. 

So, what should you choose. By default, Seritag encode without the limiter. For most use cases - contact cards, waypost signs, Church NFC tags, etc - we would say the risks from someone messing about outweight the risks of a concerted brute force attack. However, we can do either. So if you prefer us to limit (AUTHLIM) your tags - just let us know. 

Why not use Password Protection ? 

Simply, it's not as secure as using full grade authentication NFC tags such as the NTAG424. And secondly, to change the data you still need to be next to the tag and change them one by one - so it's not as useful in some cases as tag management. 

It's a great solution for the right use case, but not all. 

How to change the data on a Password Protected NFC Tag

Seritag are launching an updated version of the Seritag NFC Encoder app later in December 2025 which will make both encoding with password protection and updating password protected tags quick and easy. Just open the app, tap on encode, enter a new URL and your password and tap the tag. 

If you prefer to encode the NFC tags yourself with password protection, the new Seritag NFC Encoder app will offer this as well. Again, just open the app, tap encode, enter your link/data and the password and encode.

Just don't lose that password !