Unencrypted cards are copied by a £30 device in seconds. Encrypted cards are only as strong as the keys behind them - and most estates don't know where those keys live.
Unencrypted 125 kHz prox cards broadcast a static ID that a £30 copier can read and rewrite to a blank in seconds. We replace the card - and we own the keyring that replaces it.
An unencrypted 125 kHz card emits its ID any time something powers it. A reader in a bag, against a pocket, in a lift - is all it takes. Read time: 3.8s.
Without a fresh nonce on every handshake, the reader can't tell the card apart from a recording of the card. Static credentials are a loop.
Two phones - one at the target door, one near the victim. They bridge the radio exchange in real time. The reader thinks the card is right there.
A reader configured to fall back to unencrypted 125 kHz prox "for compatibility" is a reader that accepts a cloned card. Mixed estates inherit their weakest door.
A DESFire card is strong because it shares a secret with the reader. Lose control of the secret - who made it, where it sleeps, when it rotates - and you're back to prox. We own the lifecycle end to end.
Master keys generated inside a Common Criteria EAL-6 certified HSM. The raw key never exists in software, never touches an admin laptop.
Diversified per-card keys derive from the master on demand. Every card carries a unique secret. Extract one, learn nothing about the others.
Scheduled rotation across the reader fleet, zero-downtime overlap windows, audit log per door. A compromise in October doesn't outlive October.
When a site closes or a supplier leaves, the key is retired, not archived. Attestation report, signed, minuted. No dormant backdoor.
Common Criteria · EAL 6. Your keys in your hardware. Yours, not ours. Master keys stay inside a tamper-evident HSM on your estate or in your cloud tenant. We operate it under a split-custody agreement: two keyholders to rotate, four eyes to decommission, zero keys in spreadsheets.
Cryptography, identity and privileged access - all evidenced by HSM attestation and per-reader key logs.
Cryptography and key management: documented policy, rotation schedule, incident playbook tied to credential estate.
A cloned badge is a data breach. Strong cards close a class of reportable incidents outright.
Common Criteria EAL-6 certified HSM underneath. Auditors see a certificate, not a claim. The key estate inherits the posture.
Nobody replaces 6,000 badges on a Friday. The move from prox to encrypted happens a reader at a time, a cohort at a time, with both credentials live until the last one leaves.
We scan every reader, flag the downgrade paths, and map which doors share which keyspace. You see the risk before you touch a card.
Readers accept both the old prox and the new DESFire for a defined overlap, typically 30 to 90 days. No big-bang, no locked-out staff on Monday morning.
Starting with privileged and high-traffic sites. Self-service kiosks, mobile wallet where estate allows, printed-and-encoded where it doesn't.
Once every reader reports green and every cohort is migrated, the legacy key is retired from the HSM. Attestation signed. Audit closed.
Tell us what readers you have and we'll tell you which of your cards can be cloned with a £30 copier. It's usually more than you'd hope.