The first technical decision in any NFC-based product-authentication project is also the most consequential: which chip do you embed?
NXP Semiconductors makes the two chips that cover ~95% of brand-protection deployments today: the NTAG213 and the NTAG424 DNA. They look identical from the outside, fit the same form factors, and read on the same smartphones. Internally they sit on opposite ends of the security and cost spectrum.
This guide is the framework we use with brands during a Hashentic chip-selection workshop. Read it in full, then pick the answer that matches your product economics.
The 30-second answer
If your product retails below β¬5 and is not safety-critical, NTAG213 is the right answer. If your product is high-value, regulated, or already a known counterfeit target, NTAG424 DNA is non-negotiable.
The interesting questions live in the middle.
What each chip actually is
NTAG213
A passive NFC Type-2 tag with 144 bytes of user memory. Stores a static URL plus a 7-byte unique ID (UID) that is locked at the factory. When a phone taps it, the URL opens β usually with the UID appended as a query parameter for the backend to recognize the chip.
NXP's password protection scheme prevents casual tampering with the URL, but the UID itself is publicly readable by anyone with an NFC-capable phone.
NTAG424 DNA
A passive NFC Type-4 tag with a secure element built in. The chip stores a cryptographic key in tamper-resistant memory and uses it to compute a dynamic CMAC (cryptographic message authentication code) on every read. Each tap generates a unique signed token β never the same value twice.
The clever part: the chip can also include a rolling counter that increments per scan. This lets the backend detect cloning attempts even before the math fails β anomalous counter sequences are a tell.
Side-by-side
| NTAG213 | NTAG424 DNA | |
|---|---|---|
| Security model | Static UID + URL password | Dynamic CMAC + secure element |
| Clone resistance | Low β UID is readable | Bank-grade β key is isolated on chip |
| Encryption | NXP password (4 bytes) | AES-128 + CMAC |
| Authentication | Static (UID lookup) | Dynamic challenge-response |
| Tap counter | No | Yes (rolling, signed) |
| User memory | 144 bytes | 416 bytes |
| App required | No | No |
| Smartphone compatibility | Universal (Android + iOS 14+) | Universal (Android + iOS 14+) |
| Typical unit cost | $0.05β$0.15 | $0.40β$1.20 |
| Read range | 1β4 cm | 1β4 cm |
The cost difference looks huge in percentage terms but absolute. At 100k tags, you're looking at maybe β¬100k difference per million units β meaningful, but trivial against the cost of a single counterfeiting incident on a luxury or pharma SKU.
When to choose NTAG213
Pick NTAG213 when all of these are true:
- Unit value is under β¬5β10 retail
- Product is not safety-critical (food, pharma, automotive parts β out)
- Counterfeiting is annoying but not strategically dangerous to the brand
- Consumer experience is the primary use case (loyalty, content, provenance storytelling)
- You can absorb the rare clone without reputational damage
Best fits: specialty coffee bags, premium tea, chocolate, basic apparel labels, event tickets, low-value collectibles.
When NTAG424 DNA is the only acceptable answer
Pick NTAG424 DNA when any of these are true:
- Unit value is over β¬50 retail
- Product is regulated (pharma, batteries, automotive, ID documents)
- Counterfeiting causes physical harm if undetected
- Resale market depends on verifiable authenticity
- You need to detect cloning attempts (not just block them)
Best fits: luxury bags, wine and premium spirits, watches, medicine and pharma, batteries (mandatory under EU 2026), high-end electronics, signed documents.
For categories under EU DPP enforcement (batteries from 2026, expanding through 2030), the NTAG424 isn't strictly mandated by name β but the regulation's audit-trail and tamper-resistance requirements are very hard to satisfy with a static UID. Most legal teams default to NTAG424 for compliance comfort.
The middle ground
What about β¬15ββ¬50 products β premium cosmetics, mid-range apparel, specialty F&B? This is where the trade-off gets interesting.
Three questions to break the tie:
- What's the lifetime value of one prevented return for counterfeit? If it's >β¬20, the NTAG424 cost is amortized within a single saved transaction.
- Does your category have an active grey market? If yes, NTAG424 lets you build a verification gate that resale platforms can integrate. NTAG213 cannot.
- Are you planning loyalty/repeat-purchase mechanics? If yes, the rolling counter on NTAG424 lets you do per-scan rewards safely. NTAG213 makes this trivially exploitable.
If two or more answers point to NTAG424, pay the extra cents.
What the platform layer actually does
Both chips are dumb without backend infrastructure to interpret them. Hashentic's platform handles both transparently:
- For NTAG213 reads, it validates the UID against the registered product database and returns the consumer passport view
- For NTAG424 DNA reads, it performs the CMAC challenge-response, validates the rolling counter for anomalies, anchors the verification event on the Xordex private blockchain, and only then returns the passport
From the brand's perspective, you ship two SKUs through the same admin dashboard. From the consumer's perspective, they tap and see the same branded experience. The chip difference is invisible until you investigate a fraud case β and then the difference is night and day.
A common mistake: starting with NTAG213, "upgrading later"
We've seen this play out badly several times. A brand picks NTAG213 to test the waters cheaply, plans to migrate to NTAG424 once they prove the consumer engagement thesis. Then a counterfeit ring shows up, clones the static UIDs across thousands of fake products, and the brand discovers there's no way to retroactively distinguish real from fake β the database has both real-product and clone scans recorded with valid UIDs.
If you're going to use NFC for anything beyond pure marketing, start with NTAG424 DNA on at least your top 20% of SKUs (the ones counterfeiters would target first). You can use NTAG213 on the long tail.
What about NTAG424 TT (Tamper Detect)?
NTAG424 DNA has a sibling β the TT variant with a tamper loop that detects when the tag has been physically removed or destroyed. This adds a small premium but matters for tamper-evident seals in pharma packaging and tickets. We deploy it for medicine packaging seals and event ticket stubs by default.
The right chip choice protects margin for the next decade of your product line. If you want a workshop to apply this framework to your specific SKUs, book a 30-minute call and we'll review your portfolio together.
