How secure can you guarantee the safety and security of data held with QR codes and NFC tags?

This is a big question and we could write a whole article on the answer but we'll keep it simple here ! For clarity, we will answer in relation to the data stored within the tag/QR code rather than the security of data related to where the QR code or NFC tag links to. For additional clarity, this could become a very complex answer and we've tried to keep things simple in the answer here.

For QR codes, there's no security of the data held within the QR Code itself. Anyone can see the data and anyone can then recreate the data in a new QR code. There's no solution to this.

For NFC tags, there's two types of chip. Standard chips, such as the NTAG213 and authentication chips, such as the NTAG424.

For standard chips, many of these (including the NTAG213) have the ability to protect data with a simple 'PIN'. This means that the data can either be protected from change or protected from view completely, depending on how you configure the chip. This is likely to prevent the average user from being able to change/view the data but it ultimately limited in it's protection.

For authentication NFC tags, such as the NTAG424, the data can be stored on the tag to a very high degree of security. The security standard of an NTAG424 is AES128 which is reasonably considered to strong enough to withstand any brute force attack with normal computers. Clearly, with the advent of quantum computing, any current level security could be considered at risk but as it stands today, AES128 is likely to be more than enough.

Clearly, all of this depends on what you are trying to protect and how. There's an old security saying that nothing protects against time. If someone waits long enough or has enough time, almost anything will eventually be broken.

But, at this stage, if you want any level of security - don't use a QR code !
Seritag - 14 Mar 2025