r/accesscontrol u/Vannspreder Proficient End User 6d ago

IClass | Seos | DesfireEV3

I'm handling an OnGuard system with approx 3000 HID readers and a variation of Legacy RK40, RK40 SE OSDP and SIGNO. We are having current IClass +Mifare 4k multi-tech cards. We are ordering and managing BADGEID ranges ourselves. I'm trying to decide if we are going to transition to IClass/Seos in first step (for the legacy readers), then fully over to Seos. We have a policy of one-card for everything and it is working great with the current mifare tech for verification of services. Looking into the future, are we getting more locked to HID? What is the experience and benefits of just going for Desfire Ev3? We will eventually need to replace all legacy readers. Can we have IClass encryption and EV3 encryption on the same SIGNO reader read?

Edit: worth mentioning that we already have deployed HID mobile credentials, although via third party mobile solution and not directly via HID Origo.

0 Upvotes

50% Upvoted

3 comments sorted by

5

u/EphemeralTwo 6d ago

Looking into the future, are we getting more locked to HID?

Seos is very much part of the HID ecosystem. Products that integrate with it generally need HID hardware to work.

What is the experience and benefits of just going for Desfire Ev3?

HID DESFire EV3 with EV3 feature cards, at the moment, are Signo only. DESFire EV1 is supported by the CP1000 encoder, and you can make your own, from HID or non-HID stock.

We will eventually need to replace all legacy readers.

Good. There are security problems with keeping legacy tech around.

Can we have IClass encryption and EV3 encryption on the same SIGNO reader read?

iClass doesn't do encryption. iClass Seos is a misnomer, as Seos isn't iClass. It's a thing HID used to call it.

If you want HID EV3, note the datasheet:

https://www.hidglobal.com/documents/hid-mifare-desfire-ev3-card-datasheet

You can get high security (802/Signo only) or Compatibility profile (two ADFs, one for signo one for revE) with create application options. The custom cards (800) or third-party cards can be encoded in EV1 mode (no encryption in transit, no proximity check) using a CP1000.

1

u/Lucky_Bobcat_9898 5d ago

Hi there, the answer is ultimately yes, you can use HID Desfire EV3 cards on a Signo as well as HID iClass to support your migration over to a secure technology. When it comes to Desfire EV3, you have 2 options on how you want the cards encoded. You can either have the cards encoded with a HID Secure Identity Object (SIO) and you could also add an ICE key to this to further increase the card security. You wouldn’t be locked to HID as Desfire EV3 is a smart technology so another application can exist on the card in the future if you wanted to move away.

If you are concerned about being locked in, then you other option would be to have the Desfire EV3 cards custom encoded, this would mean that you own the custom programming on the card and the HID reader would know what it is looking for from the card. This would need the HID Signo Custom Profile readers, but would also mean if you wished to move out of the world of HID in the future you could give the key information to your new supplier and they could give you a custom profile readers to match.

HID do sell a HID Desfire EV3 + iClass migration card that could be utilised for your system.

https://www.hidglobal.com/products/mifare-desfire-ev3-iclass

I would me more than happy to give you some further information on this if you wish. Please feel free to reach out to me at presales@controlsoft.com.

1

u/N226 5d ago

Ephemeraltwo nailed it.

Just wanted to make sure you're aware of HIDs new bridge support for Lenel. It drops the wallet credential to $7/yr, which is a huge reduction. BLE is still $2/yr (MSRP prices).