125 kHz Vs 13.56 MHz RFID

The physics of the two bands

Before the security conversation, it is worth understanding why these two frequencies exist at all and why they behave the way they do in the reader lane. The two bands were never chosen for security reasons. They were chosen for propagation and regulatory reasons, and their security profiles emerged as a consequence of the silicon that got built into each era.

• 125 kHz sits in the LF (low frequency) band, 30 kHz to 300 kHz. It uses near-field magnetic coupling. The reader antenna pushes energy into the card's copper coil through induction, similar to a transformer. Wavelengths are roughly 2400 m, so the entire coupling happens in the magnetic near field and is effectively unaffected by body tissue, concrete walls or wooden doors. LF penetrates metal poorly but penetrates water and human flesh well enough to work through a jacket pocket or a gloved hand.
• 13.56 MHz sits in the HF (high frequency) band, 3 MHz to 30 MHz. It also uses near-field magnetic coupling but at a much higher carrier, which allows far greater data bandwidth (106-848 kbps for ISO 14443 vs roughly 2 kbps for EM4100). The shorter wavelength (~22 m) shrinks antenna dimensions, so a 13.56 MHz antenna can be etched directly into a card lamination rather than wound as a discrete coil.
• Read range follows antenna geometry and field strength, not frequency per se. Typical production values are 5-15 cm for 125 kHz ISO-compliant cards and 3-10 cm for 13.56 MHz cards. Higher-power 13.56 MHz 'vicinity' readers conforming to ISO 15693 reach 50-100 cm — useful for library self-checkout and hands-free access — but the overwhelming majority of access-control deployments stay in the proximity range.
• Bandwidth is the hidden gap. 125 kHz supports one-way broadcast of a 40-64 bit serial number and, on T5577 and similar chips, a handful of write cycles. 13.56 MHz ISO 14443 supports full bidirectional challenge-response transactions, multi-sector file systems, and cryptographic authentication in under 100 ms — the runway on which every modern secure credential is built.
• Regional regulation is uniform for both bands. 125 kHz and 13.56 MHz are globally allocated as license-free ISM bands, so the same credentials work identically in North America, Europe, China, Japan, India and the Middle East. This is the reason 125 kHz remains so entrenched. A single SKU works everywhere the tenant operates, and a 1990s-era 125 kHz reader in Detroit still reads a card issued yesterday in Riyadh.

Security reality — cloning attack economics

Security discussions about LF vs HF often devolve into abstractions about 'encryption strength'. The practical question is different. How cheap and how fast is a working clone? That is the number a building owner should weigh against the cost of credential and reader replacement.

• EM4100 / EM4102 / EM4200 (125 kHz): no encryption, no authentication, UID broadcast in plain Manchester-encoded ASK. Clone time with a $25 Keysy-class handheld: under three seconds, including the time to press the button. The resulting T5577 copy works on every reader the original works on, forever.
• HID ProxCard II and Indala (125 kHz with proprietary modulation): marginally more resistant than EM4100 because the bit encoding is non-standard, but a Proxmark3 RDV4 at about $350 breaks them in under thirty seconds and writes the captured data to a T5577 blank. HID Prox cloning has been routinely demonstrated at public security conferences (DEF CON, Black Hat, ShmooCon) since the early 2010s; treat it as a commodity attack, not a rare one.
• MIFARE Classic 1K/4K (13.56 MHz, Crypto-1): the Crypto-1 stream cipher was reverse-engineered in 2008 by researchers at Radboud University and TU Berlin. A nested or darkside attack extracts all sixteen sector keys from a live card in under ten minutes using a Proxmark3 or ACR122U; cloned onto a Gen2 magic UID card, the copy is indistinguishable from the original. Roughly 70% of access-control cards sold before 2018 were MIFARE Classic.
• MIFARE Plus (13.56 MHz, AES-128 in security level 3): the Plus family closes the Crypto-1 vulnerability by using AES-128 mutual authentication. No known practical attack exists against Plus SL3 after a decade of public research. Migration from Classic to Plus can often be done on the existing reader population with a firmware update.
• MIFARE DESFire EV3 (13.56 MHz, AES-128, 3DES, ISO 7816-4 filesystem): the current gold standard for enterprise and government access. CC EAL 5+ certified silicon, secure messaging, and a full multi-application filesystem. No known practical attack. Card cost $0.40-$0.80 at volume.
• LEGIC advant and iCLASS SEOS (13.56 MHz, proprietary AES-based): comparable security level to DESFire EV3 but tied to a closed ecosystem. Typically chosen when the access-control OEM mandates it rather than on pure technical merit.
• The takeaway for a building owner: the cloning gap between LF and HF is not a question of whether a clone is feasible, it is a question of how trivially available the tools are. LF cloning tools sell on Amazon for less than the price of a restaurant lunch. HF DESFire cloning tools, if they existed, would be nation-state research projects.

Side-by-side specification table

The quick-reference comparison for specifications that actually drive the first reader-family shortlist.

Reader market and installed base

Reader selection is where the migration math gets real. An office with 400 doors cannot upgrade overnight. What is feasible is a phased reader swap over eighteen to thirty-six months, using dual-frequency cards to bridge the populations.

• Major 125 kHz reader lines still in production: HID ProxPoint Plus, Indala, AWID, Keri Systems Proximity. Price band $50-$150, wiring on Wiegand 26-bit or 32-bit output. Shipment volumes have declined every year since 2017 as customers migrate.
• Major 13.56 MHz reader lines: HID iCLASS SE and Signo, LEGIC advant, NXP SAM-based OEM integrations, Allegion aptiQ, Schlage ENGAGE. Output now commonly OSDP v2 over RS-485 (secure channel) rather than the clear-text Wiegand used on legacy LF readers.
• Dual-frequency reader lines that read both LF and HF simultaneously: HID iCLASS SE R10/R40 multiClass, LEGIC connect.id, Farpointe Data Delta-Extend. These read EM4100, HID Prox, MIFARE Classic and DESFire in a single package at $120-$280, which is the single most useful product category during a phased migration.
• OSDP v2 vs Wiegand 26 is a separate but parallel security upgrade. Wiegand's unencrypted two-wire output can be sniffed and replayed with a $10 ESPKey device; OSDP Secure Channel uses AES-128 between reader and panel. A serious security upgrade combines the move from 125 kHz to 13.56 MHz with the move from Wiegand to OSDP SCP, and both tend to be done on the same reader swap.
• Installed base skew matters for project planning: a meaningful share of the North American access-control installed base is still 125 kHz (EM4100 or HID Prox), with industry surveys and SIA commentary typically putting the legacy LF share in the majority as of recent years — verify with current SIA or integrator data before citing a specific percentage. Europe skews heavier toward 13.56 MHz (MIFARE in particular) because of earlier consumer banking NFC adoption. Middle East and APAC new builds go almost exclusively to DESFire EV3 or LEGIC advant.

Migration pattern with dual-frequency cards

The cleanest migration path is a one-card, phased-reader approach. It avoids the logistical disaster of reissuing ten thousand cards on a single weekend, and it lets the security team sequence reader replacement by risk.

• Phase 1 — issue dual-frequency cards to the entire population. Each card contains both a 125 kHz chip (EM4100 or T5577, programmed with the legacy facility code and card number) and a 13.56 MHz chip (typically DESFire EV3, programmed with a new encrypted credential). During this phase the dual-frequency cards work with every existing 125 kHz reader. Card cost FOB is typically $0.55-$1.10 depending on volume and chip choice.
• Phase 2 — replace readers on highest-risk doors first: server rooms, HR file rooms, executive floors, pharmacy, data-center cages. Use dual-frequency readers so tenants with legacy 125 kHz-only cards keep working while the new DESFire credentials activate on upgraded doors.
• Phase 3 — bulk replace remaining doors by floor or by zone. At this point the majority of doors are reading DESFire credentials, and the LF chip in the dual-frequency card is dormant on upgraded doors but still live on the remaining legacy doors.
• Phase 4 — after the last reader is swapped, all doors are reading the DESFire credential. The LF chip in the dual-frequency card becomes dead silicon. New card issuance can move to DESFire-only cards at $0.40-$0.80 FOB.
• Typical timeline for a ten-thousand-card, four-hundred-door deployment: twelve to twenty-four months of phased reader replacement, with roughly 30-50% of the total reader budget in year one, 30-40% in year two, and the remainder as trailing installs and move-in/move-out reader refreshes.
• A common mistake is skipping Phase 1 and trying to do card and reader swap on the same weekend. This works for very small deployments (under fifty doors and a few hundred cards) but becomes a labor nightmare at scale, and it leaves zero rollback path if a reader install fails at a critical door.

When to stay with 125 kHz and when to upgrade

Not every deployment needs DESFire EV3. There are genuinely legitimate reasons to stay on 125 kHz for another cycle, and there are deployments where sticking with 125 kHz is organizational malpractice.

• Stay on 125 kHz when: the facility has low intrinsic security value (storage units, unattended parking lots, rural facilities with perimeter fencing and cameras), the cost of a reader swap exceeds the remaining useful life of the facility, and there is no regulatory or insurance requirement for encrypted credentials.
• Stay on 125 kHz when: the existing card population is under two hundred and the building owner can afford to issue a completely new credential population on a single day in two years. At that point, migrating directly to DESFire EV3-only cards and readers is cheaper than a multi-year phased migration with dual-frequency cards.
• Upgrade to 13.56 MHz when: the facility holds regulated data (HIPAA, PCI-DSS, SOC 2, GDPR personal data, classified information), the tenant offers mobile credentials to staff, the access-control system is part of a corporate security audit, or insurance carriers require encrypted physical access control.
• Upgrade to 13.56 MHz when: the building operates shared amenities that require cashless payments (campus dining, vending, parking, laundry). DESFire EV3 supports a payment application in a separate file from the access application, on the same card.
• Upgrade to 13.56 MHz when: credential churn is high (conference hotels, student housing, co-working). Mobile credentials via Apple Wallet or Google Wallet reduce the cost of credential issuance to near zero and are only available on 13.56 MHz.
• Upgrade to 13.56 MHz for any new installation in 2024 or later. There is no financial argument for specifying 125 kHz in a greenfield build. The reader cost delta is under $50 per door, and it avoids the inevitable migration cost cycle in five to eight years.

Cost model for a reference deployment

A reference model for a ten-thousand-card, four-hundred-door mixed-tenancy office campus, showing the total cost of ownership difference between 'stay on 125 kHz' and 'phased migrate to DESFire EV3'.

• Stay on 125 kHz (status quo): credential replacement every three years at $0.12/card × 10,000 = $1,200 per cycle. Reader maintenance and end-of-life replacement at $150/reader × 50 doors/year × year = roughly $7,500 per year. Total five-year cost roughly $39,500. Unquantified liability: the cost of a cloning-enabled breach is anywhere from zero to catastrophic depending on what is behind the doors.
• Phased migrate to DESFire EV3 over 24 months: dual-frequency cards at $0.70/card × 10,000 = $7,000 one-time. Dual-frequency readers at $180/reader × 400 doors = $72,000, spread over 24 months. Labor for reader installation at $120/door × 400 doors = $48,000, also spread over 24 months. Total migration cost roughly $127,000 over two years.
• Post-migration steady state: DESFire EV3-only cards at $0.50/card × 3,000 new cards per year (churn rate) = $1,500 per year. Mobile credentials for 40% of staff at $3/year each × 4,000 staff = $12,000 per year operating cost, offset by near-zero card reissuance cost on those users. Reader maintenance negligible in years three through seven.
• Break-even analysis: the migration pays back in year four or five purely on credential and maintenance savings, and earlier if mobile credentials replace plastic issuance for a meaningful share of staff. The upside that does not appear in the direct spreadsheet (elimination of cloning-enabled breach risk, tenant-facing security posture improvement, compliance audit simplification) is typically the argument that closes the budget conversation.
• This model is a reference only. Real deployments vary materially by labor rates, whether OSDP upgrade is bundled into the same project, and the mix of mobile vs plastic credential issuance. The purpose is to establish that the 125 kHz 'do nothing' option is not actually free (it has ongoing costs and a rising liability tail) and that the migration is rarely as expensive as the first budget meeting suggests.

FAQ