NTAG213 Password Protection: Are You Setting It Right?

• 🔐 More than 40% of Android NFC apps do not check PACK after authentication. This can let attackers bypass security.
• ⚠️ Setting AUTH0 or ACCESS bytes wrong can permanently lock users out of NTAG213 tags.
• 📱 Android's NfcA API allows full low-level command access. This helps manage NFC tags securely.
• 🔁 NTAG213 passwords cannot be reset. So, testing them properly before use is very important.
• 🧪 Advanced NTAG213 password protection helps make IoT and ticketing applications more secure.

NTAG213 Password Protection: Are You Setting It Right?

NFC tags like the NTAG213 are useful for contactless interactions in Android apps, IoT devices, and DIY projects. But if you set up password protection wrong, important data might be open for anyone to see. This guide shows you how to set up NTAG213 password protection. It covers the whole process, including using Android's NFC, running the PWD_AUTH command, setting and checking PACK, and correctly setting up AUTH0 and ACCESS bytes. This way, you can make sure your tags are not just secure, but well-secured.

Understanding NTAG213’s Security Framework

Before looking at code or Android details, you should know how the NTAG213's security works. NTAG213 is one of NXP's NTAG21x family. It is made to give simple authentication and memory protection for RFID/NFC devices. It allows password-protected memory access. This lets developers control who can read and write data.

Memory Layout and Configuration Pages

NTAG213 has 144 bytes of user memory. This is split into 36 pages, with 4 bytes per page. Configuration and control bits are in pages 42–45. These pages are important for setting up and handling tag security.

• Page 43 – Stores the PWD (password) you define for authentication.
• Page 44 – Holds the PACK (password acknowledge), ACCESS byte, and AUTH0.
• Page 42 – Has other settings, like lock bits and optional NFC counters.
• Page 45 – Manages features such as the NFC Counter value (if turned on).

Note that each page write changes four bytes at once. So, putting configuration values (like ACCESS, PACK, AUTH0) into one page write is important.

Key Elements for Security

It is important to understand each part of the security:

• PWD (Password) – A 32-bit (4-byte) security value needed for authentication through PWD_AUTH commands. Without it, you cannot access protected memory.
• PACK – A 16-bit (2-byte) value given back after a successful authentication. It confirms the PWD you gave is correct.
• ACCESS Byte – Uses small flags to control how it works. For example, it sets if password protection is for writing only, or for both reading and writing (using the PROT bit).
• AUTH0 – This byte sets the first page number from which authentication is required.

These settings work together. They make a way to access data that can be changed, but can also be risky. If one setting is wrong, the tag might get locked forever.

How NTAG213 Password Protection Works

NTAG213 offers security at a detailed level. This gives developers precise control, but also calls for great care.

The Role of PWD_AUTH

The PWD_AUTH instruction is central to NTAG213's protection. It is an NFC command made of:

• Command Byte: 0x1B (shows PWD_AUTH)
• Password (4 bytes): The password sent to the tag for checking

When it gets this, the tag checks the given password against its saved PWD. If they match, it sends back a 2-byte PACK value. This shows the authentication worked. This starts a secure session. During this time, you can access protected pages until the tag loses power.

On Android, you do this using the transceive() method in the NfcA API class.

Validating the PACK Response

Checking the PACK is important, but often missed. If you do not check the PACK, an attacker could send any password and get in by chance or by trying many passwords. Checking the PACK makes sure the PWD_AUTH response truly means authentication worked.

A 2022 study by Lopez and others found that over 40% of Android NFC apps did not check the PACK correctly. This made their security useless.

AUTH0: The Gatekeeper

The AUTH0 byte sets the lowest memory page where password protection starts. For example:

• AUTH0 = 0x04 (Page 4) → Pages 0–3: unprotected; Pages 4–end: protected.
• AUTH0 = 0xFF → Password protection disabled entirely.
• AUTH0 = 0x00 → All user-accessible pages protected.

Be careful: never set AUTH0 below page 42 unless you mean to protect or limit access to the settings section (pages 42–45). If you do this without planning, you might not be able to update or fix the tag later.

ACCESS Byte: A Subtle but Important Byte

The ACCESS byte has flags. These control how access works and if optional NFC tracking features are on:

• Bit 0: PROT
  • 0: Write-only protection
  • 1: Read and write protection
• Bits 4–6: These control other features. For example, they turn on (NFC_CNT_EN) and protect the NFC counter, and set its page address.

A common recommended ACCESS setup for secure apps is:

byte accessByte = (byte) 0x80; // PROT=1, NFC features off

But, you need to check all bits based on what your specific app needs.

Android NFC Capabilities Overview

Android offers good support for NFC interactions. It uses NfcAdapter, Tag, and tech classes such as NfcA, Ndef, MifareClassic, and others. NTAG213 tags use ISO 14443-A. The NfcA tech handles them.

Android NFC Prerequisites

To use NFC features in your Android project:

• Manifest Permissions:

  <uses-permission android:name="android.permission.NFC" />
  

• Tech Filters in Manifest:

  <tech-list>
    <tech>android.nfc.tech.NfcA</tech>
  </tech-list>
  

• Enable Foreground Dispatch: Use an activity you have registered. This lets you catch NFC tags with Android's intent system.

• Android API Support: Basic NFC functions are ready from API level 10. For strong operations like parsing, authentication, and transceiving, newer Android versions (API 19+) work better and have more tools.

How to Implement PWD_AUTH Correctly in Android

Here is the right way to do NTAG213 password authentication using pwd_auth android.

Step-by-Step Authentication

// Prepare PWD_AUTH command
byte[] cmd = new byte[5];
cmd[0] = (byte) 0x1B; // PWD_AUTH
cmd[1] = pwd[0];      // Password bytes
cmd[2] = pwd[1];
cmd[3] = pwd[2];
cmd[4] = pwd[3];

// Send and receive response
byte[] response = nfc.transceive(cmd);

// Validate PACK
if (response[0] != pack[0] || response[1] != pack[1]) {
    throw new SecurityException("Authentication failed: Invalid PACK.");
}

⚠️ Important: If the PACK is wrong or does not match, it can seem like authentication worked when it did not. This can open up protected memory by mistake.

Configuring Password and PACK Values

To configure password and PACK values securely:

Writing the Password (PWD) to Page 43

byte[] pwdWriteCmd = {
    (byte) 0xA2, // WRITE
    43,          // Page address
    pwd[0], pwd[1], pwd[2], pwd[3]
};
nfc.transceive(pwdWriteCmd);

Writing PACK + ACCESS + AUTH0 to Page 44

Make sure all 4 bytes are together in the write command:

byte[] packWriteCmd = {
    (byte) 0xA2, // WRITE
    44,
    pack[0], pack[1], accessByte, auth0
};
nfc.transceive(packWriteCmd);

💡 Tip: Write both PWD and PACK only after full testing on copied or test tags. Bad settings can cause problems that cannot be fixed.

Setting Up AUTH0 and ACCESS Correctly

Choosing the Right AUTH0 Value

Example scenarios:

• AUTH0 = 4 → Protect from page 4 and up. This works well for IDs that can only be read, and for secure web addresses.
• AUTH0 = 42 → Protect tag settings only.
• AUTH0 = 0 → Total lock (use only if you fully know what will happen).

⚠️ Recommended minimum AUTH0: Page 4. Do not protect pages 0–3 unless needed for apps that only deal with secure settings.

Finalizing the ACCESS Byte

byte accessByte = (byte) 0x80; // Bit 0 (PROT) = 1 (read/write protection), other bits = NFC features off

If your app needs NFC counters or different ways of working, use your knowledge of bitmasking.

Validating Protection Setup

After setting everything up, run tests to check if the NFC tag works as you expect:

1. Try to read protected memory areas without authentication – this should fail.
2. Send PWD_AUTH → Check PACK.
3. Try to read memory again → This should work after authentication.
4. Use tools or apps to check how it responds.

✅ Recommended App: NXP NFC TagInfo – It reads all tag data, like ACCESS, AUTH0, and PWD protection status.

Cautions & Recovery

Mistakes in setting up NTAG213 can lead to problems you cannot undo:

• 🧱 Irreversible Lock: If you set AUTH0 below 42 by accident, and PROT is not off, the tag can become impossible to control.
• ❌ Bricking Tags: Setting passwords or config pages that cannot be reached.
• 🔁 Deploy With Staging: Always try things out with test tags first. Then, put them into final products.
• 🔄 No Reset Method: Unlike some smartcards, NTAG213 has no way to recover or reset if you forget the password or lose the PACK.

Plan first. Then, test, and copy tags safely.

NTAG Tools and Libraries for Android NFC

✨ Open-source libraries and tools help make ntag213 password protection simpler on Android:

• NXP's TagWriter SDK: Official SDK with many features (you might need a license).
• NfcV-Reader: For NfcV tags, but you can change it for NfcA-based tags like NTAG213.
• LibNFC or NFC Tools apps – useful for seeing commands, checking traffic, and finding low-level problems.

Developers can also use USB sniffers or debugging libraries for emulation and replay.

Advanced Use Cases

You can use protection in more complex ways:

• ✅ Ticketing & Event Access: Tokens run out and get checked as needed.
• 🔒 Hierarchical Access: Use different AUTH0 levels for each feature. This helps control access in parts.
• 🌐 IoT Embedded Systems: Tags for settings that have changing levels of protection.
• 💤 Temporarily Disabling Protection: Admin tools that turn AUTH0 or PACK on and off during repairs.

These plans need synced backend and firmware systems.

FAQs & Troubleshooting

PACK validation failed — what's wrong?

Make sure bytes match exactly, in the right order. And, some NFC drivers read data wrong. So, check with another tool, like NXP TagInfo.

How to recognize an true NTAG213?

Use Android to dump getAtqa() and getSak() values with NfcA.get(tag). NTAG213 usually gives ATQA 0x0044 and SAK 0x00 as a response.

What’s the default password?

Factory default PWD = FF FF FF FF. You must always change it before using tags for real!

Can I wipe or factory reset NTAG213?

No. Once you write over it with a password and AUTH0, you cannot go back unless you saved the access bits correctly.

Final Recommendations and Summary

Setting things up right makes devices safer. Setting them up wrong can make tags useless. When using NTAG with Android NFC:

• ✅ Always check PACK after sending PWD_AUTH.
• 🛡 Set AUTH0 to protect only the areas you want. Do not protect too much by accident.
• ⚙ Set up ACCESS carefully. Understand how PROT and NFC_CNT_EN work.
• 🔍 Use real test tools before putting tags into use.
• 💯 Knowing the pwd_auth android command structure well is very important.

If you pay close attention, tags become very useful tools for safe, passive mobile interactions.

Code Snippet Appendix

Example: Configure Password and Protection

{
  "PWD": "A1B2C3D4",
  "PACK": "5E6F",
  "ACCESS": "80",
  "AUTH0": "04"
}

Sample Transceive Output

SEND: [1B A1 B2 C3 D4]
RECV: [5E 6F]

Android Setup Example
Find the full working Activity and NFC dispatch code on our GitHub sample repo (this link is just an example).

If you are making secure NFC apps on Android, check that your NTAG213 setup is strong enough. Do not take shortcuts. Check everything. Your tags and users will be safer.

Citations

• NXP Semiconductors. (2019). NTAG213 Product Data Sheet (Rev. 3.2). Retrieved from https://www.nxp.com/docs/en/data-sheet/NTAG213_215_216.pdf
• Pillai, M., & Kumar, S. (2020). Secure NFC Smart Tag Implementation. IEEE Security Workshops.
• Lopez, J., Idris, M., & Suresh, A. (2022). Security Analysis of NFC Communication in Android Apps. Journal of Mobile Systems.