28  NFC Implementation and Applications

Key Concepts

• NFC Controller IC: A dedicated chip (e.g., NXP PN532, ST CR95HF) that implements NFC/RFID reader or card emulation functions and interfaces with a host microcontroller via SPI/I²C/UART
• HCI (Host Controller Interface): The communication protocol between an NFC controller IC and its host processor; defines how the host sends commands and receives events
• ISO 7816-4 APDU: Application Protocol Data Unit; the command-response pair format used for smart card communication; used in NFC card emulation
• HCE (Host Card Emulation): An Android feature that allows an app to handle NFC card emulation requests in software, without a hardware secure element
• Secure Element (SE): A tamper-resistant hardware component that stores cryptographic keys and processes sensitive NFC transactions (used in contactless payment)
• LLCP (Logical Link Control Protocol): The NFC Forum protocol enabling peer-to-peer data exchange with connection-oriented and connectionless services
• SNEP (Simple NDEF Exchange Protocol): An NFC Forum protocol for pushing NDEF messages between peer NFC devices; used by Android Beam

28.1 In 60 Seconds

This chapter provides hands-on NFC programming across three platforms: Android Java for writing NDEF URLs and text, Python with nfcpy on Raspberry Pi for tag reading/writing, and Arduino with PN532 for embedded readers. It also covers real-world applications including mobile payments with tokenization, smart home automation via Home Assistant, product authentication, and security best practices.

Sensor Squad: Building NFC Projects

Sammy the Sensor was excited: “We get to actually build things with NFC!” Max the Microcontroller nodded and said, “That is right! We can program NFC tags using a phone, a Raspberry Pi, or an Arduino. Each one is like a different tool in a toolbox – pick the right one for the job.” Bella the Battery shared a tip: “The coolest part is making smart home tags. You write a special code on a sticker, put it on your nightstand, and when you tap your phone at bedtime, your whole house knows it is time to sleep. Lights off, doors locked, alarm set!” Lila the LED warned, “But remember to lock your tags after writing them, or someone could change what they do. It is like putting a padlock on your diary!”

28.2 Learning Objectives

By the end of this chapter, you will be able to:

• Compose NDEF Messages: Construct URL, text, and multi-record NDEF payloads and write them to NFC tags using Android, Python, and Arduino platforms
• Develop Cross-Platform NFC Applications: Build functional tag reading and writing applications across Android Java, Python nfcpy, and Arduino PN532 environments
• Design NFC-Enabled IoT Workflows: Architect smart home automation scenes and access control systems that integrate NFC triggers with backend services
• Evaluate Security Trade-offs: Assess tokenization, tag locking, encryption levels, and input validation strategies for NFC deployment scenarios

28.3 Prerequisites

Before diving into this chapter, you should be familiar with:

• NFC Communication Fundamentals: Understanding NFC operating modes, tag types, and NDEF format
• Networking Basics: Basic knowledge of communication protocols

Related Chapters

NFC Deep Dives:

• NFC Communication Fundamentals - Operating modes and NDEF
• NFC IoT Integration - IoT ecosystems and labs
• NFC Security and Comparisons - Security and technology comparisons

Related Technologies:

• RFID Hands-on - Related contactless technology
• Bluetooth Applications - BLE pairing and beacons

For Beginners: Programming NFC Tags

Programming an NFC tag is like writing a note that anyone can read by touching it with their phone. The simplest thing you can put on a tag is a URL - when someone taps the tag, their phone opens that webpage automatically.

What you need:

• An NFC tag ($0.20-$2.00 each)
• A smartphone with NFC
• An NFC writing app (free: NFC Tools, TagWriter)

Simple steps:

1. Open NFC writing app
2. Choose “Write” then “URL”
3. Enter your website address
4. Hold tag near phone’s NFC antenna
5. Done! Anyone can now tap to visit your site

---

28.4 Hands-On: Programming NFC Tags

28.4.1 Example 1: Write URL to NFC Tag (Android)

Java Code:

import android.nfc.NdefMessage;
import android.nfc.NdefRecord;
import android.nfc.NfcAdapter;
import android.nfc.Tag;
import android.nfc.tech.Ndef;

public void writeUrlToTag(Tag tag, String url) throws Exception {
    // Create NDEF message with URL
    NdefRecord uriRecord = NdefRecord.createUri(url);
    NdefMessage message = new NdefMessage(new NdefRecord[]{uriRecord});

    // Write to tag
    Ndef ndef = Ndef.get(tag);
    ndef.connect();
    ndef.writeNdefMessage(message);
    ndef.close();

    Log.d("NFC", "URL written: " + url);
}

Usage:

// In your Activity
@Override
protected void onNewIntent(Intent intent) {
    Tag tag = intent.getParcelableExtra(NfcAdapter.EXTRA_TAG);
    writeUrlToTag(tag, "https://iotclass.example.com");
}

Try It: NDEF Message Size Calculator

viewof ndefPayloadType = Inputs.select(
  ["Short URL", "Full URL", "Short Text", "vCard Contact", "Wi-Fi Credentials", "Smart Poster", "JSON Payload"],
  {value: "Short URL", label: "Payload type"}
)

viewof ndefCustomSize = Inputs.range([0, 500], {value: 0, step: 1, label: "Additional custom bytes"})

viewof ndefTagType = Inputs.select(
  ["NTAG210 (48 B)", "NTAG213 (144 B)", "NTAG215 (504 B)", "NTAG216 (888 B)", "NTAG424 DNA (416 B)", "MIFARE DESFire (2048 B)"],
  {value: "NTAG213 (144 B)", label: "Target tag type"}
)

ndefCalc = {
  const payloadSizes = {
    "Short URL": {min: 20, max: 40, example: "https://iot.co/a"},
    "Full URL": {min: 40, max: 80, example: "https://company.com/product/12345"},
    "Short Text": {min: 20, max: 50, example: "Tap to connect to Wi-Fi"},
    "vCard Contact": {min: 80, max: 150, example: "Name, phone, email, company"},
    "Wi-Fi Credentials": {min: 50, max: 100, example: "SSID, password, security type"},
    "Smart Poster": {min: 100, max: 200, example: "URL + title + icon reference"},
    "JSON Payload": {min: 100, max: 500, example: "Structured device configuration"}
  };
  const tagCapacities = {
    "NTAG210 (48 B)": 48,
    "NTAG213 (144 B)": 144,
    "NTAG215 (504 B)": 504,
    "NTAG216 (888 B)": 888,
    "NTAG424 DNA (416 B)": 416,
    "MIFARE DESFire (2048 B)": 2048
  };
  const info = payloadSizes[ndefPayloadType];
  const overhead = 12;
  const avgPayload = Math.round((info.min + info.max) / 2);
  const totalPayload = avgPayload + ndefCustomSize;
  const totalWithOverhead = totalPayload + overhead;
  const withMargin = Math.ceil(totalWithOverhead * 1.2);
  const capacity = tagCapacities[ndefTagType];
  const fits = capacity >= withMargin;
  const usagePercent = Math.min(100, Math.round((withMargin / capacity) * 100));
  return {info, overhead, avgPayload, totalPayload, totalWithOverhead, withMargin, capacity, fits, usagePercent};
}

html`<div style="background: linear-gradient(135deg, #f8f9fa, #e9ecef); padding: 1.5rem; border-radius: 8px; border-left: 4px solid ${ndefCalc.fits ? '#16A085' : '#E74C3C'}; font-family: system-ui, sans-serif;">
  <h4 style="margin-top: 0; color: #2C3E50;">NDEF Size Breakdown</h4>
  <table style="width: 100%; border-collapse: collapse; margin-bottom: 1rem;">
    <tr style="border-bottom: 1px solid #dee2e6;">
      <td style="padding: 6px 8px; color: #7F8C8D;">Payload type</td>
      <td style="padding: 6px 8px; font-weight: bold;">${ndefPayloadType} (${ndefCalc.info.min}-${ndefCalc.info.max} B typical)</td>
    </tr>
    <tr style="border-bottom: 1px solid #dee2e6;">
      <td style="padding: 6px 8px; color: #7F8C8D;">Example content</td>
      <td style="padding: 6px 8px; font-style: italic;">${ndefCalc.info.example}</td>
    </tr>
    <tr style="border-bottom: 1px solid #dee2e6;">
      <td style="padding: 6px 8px; color: #7F8C8D;">Average payload</td>
      <td style="padding: 6px 8px;">${ndefCalc.avgPayload} bytes${ndefCustomSize > 0 ? ` + ${ndefCustomSize} custom = ${ndefCalc.totalPayload} bytes` : ''}</td>
    </tr>
    <tr style="border-bottom: 1px solid #dee2e6;">
      <td style="padding: 6px 8px; color: #7F8C8D;">NDEF overhead (TLV + headers)</td>
      <td style="padding: 6px 8px;">${ndefCalc.overhead} bytes</td>
    </tr>
    <tr style="border-bottom: 1px solid #dee2e6;">
      <td style="padding: 6px 8px; color: #7F8C8D;">Total (payload + overhead)</td>
      <td style="padding: 6px 8px; font-weight: bold;">${ndefCalc.totalWithOverhead} bytes</td>
    </tr>
    <tr style="border-bottom: 2px solid #2C3E50;">
      <td style="padding: 6px 8px; color: #7F8C8D;">With 20% safety margin</td>
      <td style="padding: 6px 8px; font-weight: bold; color: #E67E22;">${ndefCalc.withMargin} bytes</td>
    </tr>
  </table>
  <div style="margin-bottom: 0.5rem;">
    <div style="background: #dee2e6; border-radius: 4px; height: 24px; overflow: hidden; position: relative;">
      <div style="background: ${ndefCalc.fits ? '#16A085' : '#E74C3C'}; height: 100%; width: ${ndefCalc.usagePercent}%; transition: width 0.3s; border-radius: 4px;"></div>
      <span style="position: absolute; left: 50%; top: 50%; transform: translate(-50%, -50%); font-size: 0.8rem; font-weight: bold; color: #2C3E50;">${ndefCalc.usagePercent}% of ${ndefTagType}</span>
    </div>
  </div>
  <p style="margin-bottom: 0; font-weight: bold; color: ${ndefCalc.fits ? '#16A085' : '#E74C3C'}; font-size: 1.1rem;">
    ${ndefCalc.fits
      ? `Fits! ${ndefCalc.capacity - ndefCalc.withMargin} bytes remaining on ${ndefTagType}.`
      : `Does not fit! Need ${ndefCalc.withMargin - ndefCalc.capacity} more bytes. Choose a larger tag.`}
  </p>
</div>`

28.4.2 Example 2: Read NFC Tag (Python with PN532)

Hardware:

• Raspberry Pi
• PN532 NFC module
• NFC tags

Python Code:

import nfc

# Connect to NFC reader
clf = nfc.ContactlessFrontend('tty:USB0:pn532')

def on_tag_discovered(tag):
    """Callback when tag is detected"""
    print(f"Tag detected: {tag}")

    # Read NDEF message
    if tag.ndef:
        for record in tag.ndef.records:
            print(f"Type: {record.type}")
            print(f"Data: {record.text if hasattr(record, 'text') else record.uri}")
    else:
        print("No NDEF data found")

    return True  # Keep tag connected

# Listen for tags
print("Waiting for NFC tag...")
clf.connect(rdwr={'on-connect': on_tag_discovered})

Write to Tag:

import ndef

# Create NDEF message
uri_record = ndef.UriRecord("https://iotclass.example.com")
text_record = ndef.TextRecord("Welcome to IoT Class!")

message = [uri_record, text_record]

# Write to tag
def write_tag(tag):
    if tag.ndef:
        tag.ndef.records = message
        print("Written successfully!")
    return False

clf.connect(rdwr={'on-connect': write_tag})

28.4.3 Example 3: Arduino NFC (PN532)

#include <Wire.h>
#include <PN532_I2C.h>
#include <PN532.h>
#include <NfcAdapter.h>

PN532_I2C pn532_i2c(Wire);
NfcAdapter nfc = NfcAdapter(pn532_i2c);

void setup() {
    Serial.begin(9600);
    nfc.begin();
    Serial.println("NFC Reader Ready!");
}

void loop() {
    if (nfc.tagPresent()) {
        NfcTag tag = nfc.read();

        Serial.println("Tag detected!");
        Serial.print("UID: ");
        Serial.println(tag.getUidString());

        // Read NDEF message
        if (tag.hasNdefMessage()) {
            NdefMessage message = tag.getNdefMessage();
            int recordCount = message.getRecordCount();

            for (int i = 0; i < recordCount; i++) {
                NdefRecord record = message.getRecord(i);

                // Print record type and payload
                Serial.print("Record ");
                Serial.print(i);
                Serial.print(": ");

                int payloadLength = record.getPayloadLength();
                byte payload[payloadLength];
                record.getPayload(payload);

                // Print as string (if text/URI)
                for (int j = 0; j < payloadLength; j++) {
                    Serial.print((char)payload[j]);
                }
                Serial.println();
            }
        }
    }

    delay(1000);
}

Try It: ESP32 NFC Tag Reader Simulator

Objective: Simulate the NFC tag reading workflow on ESP32. Since Wokwi does not include a virtual PN532, this code simulates the tag detection and NDEF parsing logic so you can understand the data flow.

Code to Try:

#include <Arduino.h>

// Simulated NFC Tag data
struct NFCTag {
  uint8_t uid[7];
  uint8_t uidLen;
  const char* type;
  const char* payload;
};

// Simulated tag database (like tags you might encounter)
NFCTag tagDB[] = {
  {{0x04, 0xA2, 0x3B, 0x1C, 0x5E, 0x00, 0x00}, 4, "URL", "https://iotclass.org"},
  {{0x04, 0xB7, 0x22, 0x8A, 0x41, 0x00, 0x00}, 4, "TEXT", "Room 302 - IoT Lab"},
  {{0x04, 0xC1, 0x5F, 0x7D, 0x33, 0x00, 0x00}, 4, "WIFI", "SSID:IoTLab,PASS:secure123"},
  {{0x04, 0xD8, 0x44, 0x9E, 0x2B, 0x00, 0x00}, 4, "VCARD", "John Doe;IoT Engineer;+1234567890"},
};
int numTags = 4;
int scanCount = 0;

void printUID(uint8_t* uid, uint8_t len) {
  for (int i = 0; i < len; i++) {
    if (i > 0) Serial.print(":");
    Serial.printf("%02X", uid[i]);
  }
}

void processTag(NFCTag& tag) {
  Serial.println("\n--- NFC Tag Detected! ---");
  Serial.print("UID: ");
  printUID(tag.uid, tag.uidLen);
  Serial.printf(" (%d bytes)\n", tag.uidLen);
  Serial.printf("NDEF Record Type: %s\n", tag.type);
  Serial.printf("Payload: %s\n", tag.payload);
  Serial.printf("Payload Size: %d bytes\n", strlen(tag.payload));

  // Simulate action based on tag type
  if (strcmp(tag.type, "URL") == 0) {
    Serial.println("Action: Opening URL in browser");
  } else if (strcmp(tag.type, "WIFI") == 0) {
    Serial.println("Action: Connecting to Wi-Fi network");
  } else if (strcmp(tag.type, "TEXT") == 0) {
    Serial.println("Action: Displaying text notification");
  }
}

void setup() {
  Serial.begin(115200);
  Serial.println("=== ESP32 NFC Reader Simulator ===");
  Serial.println("Simulating PN532 tag detection cycle...");
  Serial.println("In real hardware: connect PN532 via I2C (SDA=21, SCL=22)\n");
}

void loop() {
  // Simulate periodic tag scanning
  Serial.printf("Scanning... (cycle %d)\n", ++scanCount);

  // Randomly "detect" a tag (simulates physical tap)
  if (random(100) < 40) {  // 40% chance of detection
    int tagIndex = random(numTags);
    processTag(tagDB[tagIndex]);
  } else {
    Serial.println("No tag present");
  }

  delay(2000);  // Scan every 2 seconds
}

What to Observe:

1. Each detected tag has a unique UID (7-byte identifier) – real NFC tags work the same way
2. NDEF records can contain URLs, text, Wi-Fi credentials, or contact cards
3. The reader performs actions based on record type – URL tags open browsers, Wi-Fi tags auto-connect
4. Try adding a new tag type to tagDB (e.g., a “MQTT” type that contains a topic name)

Quiz 1: Programming NFC Tags

Museum example:

Dynamic approach (URL):

Tag content (30 bytes):
https://museum.com/e/mona-lisa

Server response:
- High-res images
- Audio guide (20 languages)
- Video documentary
- Related works
- Visitor reviews

Content updates without touching physical tag!

For museum use case: Dynamic tags are almost always better due to updateability and analytics!

28.5 Real-World NFC Applications

28.5.1 Mobile Payments

Figure 28.1: Mobile payment transaction flow: tap, authenticate, tokenize, and authorize

How It Works:

1. Customer taps phone to terminal
2. Phone emulates credit card via NFC
3. Terminal sends encrypted transaction to bank
4. Bank authorizes payment
5. Transaction complete (< 1 second)

Security Features:

• Tokenization: Real card number never shared
• Biometric auth: Fingerprint/face required
• Secure element: Encrypted storage of payment credentials
• Device-specific: Token tied to specific phone

Market Leaders:

• Apple Pay (iPhone, Apple Watch)
• Google Pay (Android)
• Samsung Pay (Samsung devices)

Try It: NFC Payment Tokenization Simulator

viewof realCardNumber = Inputs.text({
  label: "Credit card number (simulated)",
  value: "4532 1234 5678 9012",
  placeholder: "Enter a 16-digit card number"
})

viewof merchantName = Inputs.select(
  ["Starbucks", "Target", "Amazon", "Whole Foods", "Gas Station"],
  {value: "Starbucks", label: "Merchant"}
)

viewof transactionAmount = Inputs.range([1, 500], {value: 25, step: 1, label: "Amount ($)"})

viewof tapPayButton = Inputs.button("Tap to Pay", {label: ""})

tokenSim = {
  tapPayButton;
  const digits = realCardNumber.replace(/\s/g, '');
  const lastFour = digits.slice(-4);
  const tokenPrefix = "4012";
  const tokenBody = Array.from({length: 8}, () => Math.floor(Math.random() * 10)).join('');
  const token = tokenPrefix + " " + tokenBody.slice(0, 4) + " " + tokenBody.slice(4) + " " + lastFour;
  const cryptogramHex = Array.from({length: 16}, () => Math.floor(Math.random() * 16).toString(16)).join('').toUpperCase();
  const timestamp = new Date().toISOString();
  const authCode = Math.floor(100000 + Math.random() * 900000).toString();
  return {digits, lastFour, token, cryptogramHex, timestamp, authCode};
}

html`<div style="background: linear-gradient(135deg, #2C3E50, #3498DB); padding: 1.5rem; border-radius: 10px; color: white; font-family: system-ui, sans-serif;">
  <h4 style="margin-top: 0; color: #E67E22;">Payment Transaction Flow</h4>
  <div style="display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; margin-bottom: 1rem;">
    <div style="background: rgba(255,255,255,0.1); padding: 1rem; border-radius: 6px;">
      <div style="font-size: 0.8rem; color: #BDC3C7; text-transform: uppercase;">Secure Element (never leaves device)</div>
      <div style="font-family: monospace; font-size: 1.1rem; color: #E74C3C; margin-top: 4px;">
        PAN: ${'**** **** **** ' + tokenSim.lastFour}
      </div>
    </div>
    <div style="background: rgba(255,255,255,0.1); padding: 1rem; border-radius: 6px;">
      <div style="font-size: 0.8rem; color: #BDC3C7; text-transform: uppercase;">Token sent via NFC</div>
      <div style="font-family: monospace; font-size: 1.1rem; color: #16A085; margin-top: 4px;">
        TOKEN: ${tokenSim.token}
      </div>
    </div>
  </div>
  <div style="background: rgba(255,255,255,0.08); padding: 1rem; border-radius: 6px; margin-bottom: 1rem;">
    <div style="font-size: 0.8rem; color: #BDC3C7; text-transform: uppercase; margin-bottom: 6px;">Transaction Details</div>
    <table style="width: 100%; color: white; font-size: 0.9rem;">
      <tr><td style="padding: 3px 0; color: #BDC3C7;">Merchant:</td><td>${merchantName}</td></tr>
      <tr><td style="padding: 3px 0; color: #BDC3C7;">Amount:</td><td>$${transactionAmount}.00</td></tr>
      <tr><td style="padding: 3px 0; color: #BDC3C7;">Dynamic Cryptogram:</td><td style="font-family: monospace; color: #9B59B6;">${tokenSim.cryptogramHex}</td></tr>
      <tr><td style="padding: 3px 0; color: #BDC3C7;">Timestamp:</td><td style="font-family: monospace; font-size: 0.8rem;">${tokenSim.timestamp}</td></tr>
      <tr><td style="padding: 3px 0; color: #BDC3C7;">Auth Code:</td><td style="font-family: monospace; color: #16A085;">${tokenSim.authCode}</td></tr>
    </table>
  </div>
  <div style="background: rgba(22, 160, 133, 0.2); padding: 0.8rem; border-radius: 6px; border: 1px solid #16A085;">
    <strong style="color: #16A085;">Security insight:</strong> Even if an attacker intercepts this NFC transaction, the token is device-specific (tied to this phone's Secure Element) and the cryptogram is single-use. The real card number never left the device.
  </div>
</div>`

28.5.2 Smart Home Automation

NFC Tags for IoT Control:

Figure 28.2: NFC tags triggering smart home automation scenes for bedtime and driving

Example Scenarios:

“Goodnight” Tag (bedside table): - Tap → Turn off all lights - Set thermostat to 68°F - Arm security system - Set phone to Do Not Disturb

“Welcome Home” Tag (front door): - Disarm security - Turn on entry lights - Adjust temperature - Start favorite playlist

Implementation with Home Assistant:

# automations.yaml
- id: nfc_bedtime_routine
  alias: "NFC: Bedtime Routine"
  trigger:
    platform: tag
    tag_id: "04:A3:B2:C1:D4:5E:80"  # NFC tag UID
  action:
    - service: light.turn_off
      entity_id: all
    - service: climate.set_temperature
      data:
        temperature: 68
    - service: alarm_control_panel.alarm_arm_night

Try It: NFC Smart Home Scene Builder

viewof sceneName = Inputs.select(
  ["Goodnight", "Welcome Home", "Leaving Home", "Movie Time", "Morning Routine", "Custom"],
  {value: "Goodnight", label: "Scene preset"}
)

viewof lightsAction = Inputs.select(
  ["Turn off all", "Dim to 20%", "Dim to 50%", "Turn on all", "Night lights only"],
  {value: "Turn off all", label: "Lights"}
)

viewof thermostatTemp = Inputs.range([60, 80], {value: 68, step: 1, label: "Thermostat (F)"})

viewof securityAction = Inputs.select(
  ["Arm night mode", "Arm away mode", "Disarm", "No change"],
  {value: "Arm night mode", label: "Security system"}
)

viewof extraActions = Inputs.checkbox(
  ["Lock all doors", "Set Do Not Disturb", "Start playlist", "Close garage", "Enable cameras"],
  {label: "Additional actions", value: ["Lock all doors", "Set Do Not Disturb"]}
)

sceneConfig = {
  const uid = Array.from({length: 7}, () => Math.floor(Math.random() * 256).toString(16).padStart(2, '0').toUpperCase()).join(':');
  const lightService = {
    "Turn off all": "light.turn_off\n      entity_id: all",
    "Dim to 20%": "light.turn_on\n      data:\n        brightness_pct: 20\n      entity_id: all",
    "Dim to 50%": "light.turn_on\n      data:\n        brightness_pct: 50\n      entity_id: all",
    "Turn on all": "light.turn_on\n      entity_id: all",
    "Night lights only": "light.turn_on\n      entity_id: light.night_lights\n      data:\n        brightness_pct: 10"
  };
  const secService = {
    "Arm night mode": "alarm_control_panel.alarm_arm_night",
    "Arm away mode": "alarm_control_panel.alarm_arm_away",
    "Disarm": "alarm_control_panel.alarm_disarm",
    "No change": null
  };
  const extraMap = {
    "Lock all doors": "lock.lock\n      entity_id: all",
    "Set Do Not Disturb": "notify.mobile_app\n      data:\n        message: command_dnd\n        data:\n          command: turn_on",
    "Start playlist": "media_player.play_media\n      entity_id: media_player.living_room\n      data:\n        media_content_id: playlist://relaxing\n        media_content_type: playlist",
    "Close garage": "cover.close_cover\n      entity_id: cover.garage_door",
    "Enable cameras": "switch.turn_on\n      entity_id: switch.security_cameras"
  };
  let yaml = `# automations.yaml\n- id: nfc_${sceneName.toLowerCase().replace(/\s/g, '_')}\n  alias: \"NFC: ${sceneName}\"\n  trigger:\n    platform: tag\n    tag_id: \"${uid}\"\n  action:\n    - service: ${lightService[lightsAction]}\n    - service: climate.set_temperature\n      data:\n        temperature: ${thermostatTemp}`;
  if (secService[securityAction]) {
    yaml += `\n    - service: ${secService[securityAction]}`;
  }
  for (const action of extraActions) {
    yaml += `\n    - service: ${extraMap[action]}`;
  }
  const actionCount = 2 + (secService[securityAction] ? 1 : 0) + extraActions.length;
  return {yaml, uid, actionCount};
}

html`<div style="background: linear-gradient(135deg, #f8f9fa, #e9ecef); padding: 1.5rem; border-radius: 8px; border-left: 4px solid #9B59B6; font-family: system-ui, sans-serif;">
  <h4 style="margin-top: 0; color: #2C3E50;">Generated Home Assistant Configuration</h4>
  <div style="display: flex; gap: 0.5rem; margin-bottom: 1rem; flex-wrap: wrap;">
    <span style="background: #9B59B6; color: white; padding: 2px 10px; border-radius: 12px; font-size: 0.8rem;">Scene: ${sceneName}</span>
    <span style="background: #3498DB; color: white; padding: 2px 10px; border-radius: 12px; font-size: 0.8rem;">${sceneConfig.actionCount} actions</span>
    <span style="background: #7F8C8D; color: white; padding: 2px 10px; border-radius: 12px; font-size: 0.8rem;">Tag UID: ${sceneConfig.uid}</span>
  </div>
  <pre style="background: #2C3E50; color: #E9ECEF; padding: 1rem; border-radius: 6px; font-size: 0.85rem; overflow-x: auto; white-space: pre; line-height: 1.5;">${sceneConfig.yaml}</pre>
  <p style="margin-bottom: 0; color: #7F8C8D; font-size: 0.85rem; margin-top: 0.8rem;">
    Copy this YAML into your Home Assistant <code>automations.yaml</code> file, then write the tag UID to a physical NFC tag using NFC Tools. Place the tag where you want to trigger the scene.
  </p>
</div>`

28.5.3 Product Authentication

Anti-Counterfeiting:

• Luxury goods: Verify authentic Louis Vuitton, Rolex
• Pharmaceuticals: Ensure medicine is genuine
• Electronics: Confirm legitimate Apple, Samsung products
• Wine/Spirits: Authenticate bottles, track provenance

How It Works:

1. Manufacturer embeds NFC tag with unique encrypted ID
2. Tag registered in blockchain or secure database
3. Customer taps tag with phone
4. App verifies authenticity via cloud lookup
5. Displays product history, warranty info

28.5.4 Smart Posters & Marketing

Interactive Advertising:

Figure 28.3: Smart poster NFC tag delivering video trailers, tickets, and coupons

Use Cases:

• Movie posters: Tap to watch trailer, buy tickets
• Restaurant menus: Nutrition info, allergens, reviews
• Museum exhibits: Audio guides, detailed information
• Real estate: Virtual tours, floor plans, contact agent
• Bus stops: Tap for real-time arrival information

28.5.5 Access Control

Physical Security:

• Hotel room keys: Smartphone as room key (Hilton, Marriott)
• Office buildings: NFC badges or phone-based access
• Parking garages: Tap to enter/exit
• Gym membership: NFC wristband or phone check-in

Advantages:

• No physical key cards to lose
• Remote access granting/revocation
• Audit trail of entry/exit
• Integration with mobile apps

28.6 Security Considerations

NFC Security Risks

While NFC’s short range provides inherent security, risks exist:

• Eavesdropping: Attackers capture communication (requires proximity)
• Data corruption: Intentional or accidental tag modification
• Relay attacks: Extend NFC range using relay devices
• Cloning: Copy tag data to create duplicate
• Malicious tags: Tags programmed to exploit vulnerabilities

28.6.1 Security Best Practices

For Payment Systems:

✅ Tokenization: Never transmit actual card numbers ✅ EMV standards: Follow EMVCo specifications ✅ User authentication: Require biometric or PIN ✅ Transaction limits: Cap contactless payment amounts ✅ Secure element: Use hardware-based key storage

For Access Control:

✅ Encryption: AES-128 minimum for sensitive data ✅ Mutual authentication: Reader and tag both verify identity ✅ Unique keys: Per-tag encryption keys ✅ Audit logging: Track all access attempts ✅ Expiration: Time-limited access credentials

For Smart Tags:

✅ Lock tags: Make read-only after deployment ✅ Signature verification: Cryptographically sign critical data ✅ HTTPS only: Use secure URLs in NDEF records ✅ Sanitize input: Validate data read from unknown tags ✅ User confirmation: Require user approval for sensitive actions

Example: Secure NDEF Signature

// Sign NDEF message
NdefRecord signature = NdefRecord.createMime(
    "application/vnd.bluetooth.signature",
    signData(payload, privateKey)
);

NdefMessage secureMessage = new NdefMessage(
    new NdefRecord[] {dataRecord, signature}
);

Try It: NFC Deployment Security Assessment

viewof deployUseCase = Inputs.select(
  ["Smart poster (public info)", "Home automation trigger", "Access control (office)", "Mobile payment terminal", "Product authentication", "Medical device ID"],
  {value: "Smart poster (public info)", label: "Deployment use case"}
)

viewof tagEncryption = Inputs.radio(
  ["None", "Password (32-bit)", "AES-128", "AES-256 (FIPS 140-2)"],
  {value: "None", label: "Tag encryption"}
)

viewof tagLocked = Inputs.radio(["Yes", "No"], {value: "No", label: "Tag locked (read-only)?"})
viewof httpsOnly = Inputs.radio(["Yes", "No"], {value: "Yes", label: "HTTPS-only URLs?"})
viewof mutualAuth = Inputs.radio(["Yes", "No"], {value: "No", label: "Mutual authentication?"})
viewof inputValidation = Inputs.radio(["Yes", "No"], {value: "No", label: "Input sanitization on read?"})

secAssess = {
  const risks = {
    "Smart poster (public info)": {level: "Low", minEncryption: "None", needsLock: true, needsMutual: false},
    "Home automation trigger": {level: "Medium", minEncryption: "Password (32-bit)", needsLock: true, needsMutual: false},
    "Access control (office)": {level: "High", minEncryption: "AES-128", needsLock: true, needsMutual: true},
    "Mobile payment terminal": {level: "Critical", minEncryption: "AES-128", needsLock: true, needsMutual: true},
    "Product authentication": {level: "High", minEncryption: "AES-128", needsLock: true, needsMutual: true},
    "Medical device ID": {level: "Critical", minEncryption: "AES-256 (FIPS 140-2)", needsLock: true, needsMutual: true}
  };
  const encLevels = {"None": 0, "Password (32-bit)": 1, "AES-128": 2, "AES-256 (FIPS 140-2)": 3};
  const req = risks[deployUseCase];
  const issues = [];
  const passed = [];
  const encOk = encLevels[tagEncryption] >= encLevels[req.minEncryption];
  if (!encOk) issues.push(`Encryption too weak: "${tagEncryption}" selected but "${req.minEncryption}" or higher required for ${deployUseCase}`);
  else passed.push(`Encryption: ${tagEncryption} meets requirement`);
  if (req.needsLock && tagLocked === "No") issues.push("Tag should be locked (read-only) after deployment to prevent tampering");
  else if (tagLocked === "Yes") passed.push("Tag is locked against modification");
  if (httpsOnly === "No") issues.push("Non-HTTPS URLs allow man-in-the-middle attacks on redirected content");
  else passed.push("HTTPS-only URLs enforced");
  if (req.needsMutual && mutualAuth === "No") issues.push(`Mutual authentication required for ${req.level}-risk applications to prevent cloning`);
  else if (mutualAuth === "Yes") passed.push("Mutual authentication enabled");
  if (inputValidation === "No") issues.push("Input sanitization missing: malicious tags could inject harmful data");
  else passed.push("Input sanitization active");
  const score = Math.round((passed.length / (passed.length + issues.length)) * 100);
  const grade = score >= 90 ? "A" : score >= 70 ? "B" : score >= 50 ? "C" : score >= 30 ? "D" : "F";
  const gradeColor = score >= 90 ? "#16A085" : score >= 70 ? "#3498DB" : score >= 50 ? "#E67E22" : "#E74C3C";
  return {req, issues, passed, score, grade, gradeColor};
}

html`<div style="background: linear-gradient(135deg, #f8f9fa, #e9ecef); padding: 1.5rem; border-radius: 8px; border-left: 4px solid ${secAssess.gradeColor}; font-family: system-ui, sans-serif;">
  <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 1rem;">
    <h4 style="margin: 0; color: #2C3E50;">Security Assessment: ${deployUseCase}</h4>
    <div style="background: ${secAssess.gradeColor}; color: white; width: 50px; height: 50px; border-radius: 50%; display: flex; align-items: center; justify-content: center; font-size: 1.5rem; font-weight: bold;">
      ${secAssess.grade}
    </div>
  </div>
  <div style="background: #dee2e6; border-radius: 4px; height: 12px; margin-bottom: 1rem; overflow: hidden;">
    <div style="background: ${secAssess.gradeColor}; height: 100%; width: ${secAssess.score}%; transition: width 0.3s; border-radius: 4px;"></div>
  </div>
  <div style="display: flex; gap: 0.5rem; margin-bottom: 1rem; flex-wrap: wrap;">
    <span style="background: ${secAssess.req.level === 'Critical' ? '#E74C3C' : secAssess.req.level === 'High' ? '#E67E22' : secAssess.req.level === 'Medium' ? '#F39C12' : '#16A085'}; color: white; padding: 2px 10px; border-radius: 12px; font-size: 0.8rem;">Risk: ${secAssess.req.level}</span>
    <span style="background: #7F8C8D; color: white; padding: 2px 10px; border-radius: 12px; font-size: 0.8rem;">Score: ${secAssess.score}%</span>
    <span style="background: #3498DB; color: white; padding: 2px 10px; border-radius: 12px; font-size: 0.8rem;">${secAssess.passed.length} passed / ${secAssess.issues.length} issues</span>
  </div>
  ${secAssess.passed.length > 0 ? html`<div style="margin-bottom: 0.8rem;">
    <strong style="color: #16A085;">Passed checks:</strong>
    <ul style="margin: 4px 0; padding-left: 1.5rem;">
      ${secAssess.passed.map(p => html`<li style="color: #16A085; margin: 2px 0;">${p}</li>`)}
    </ul>
  </div>` : ''}
  ${secAssess.issues.length > 0 ? html`<div>
    <strong style="color: #E74C3C;">Issues found:</strong>
    <ul style="margin: 4px 0; padding-left: 1.5rem;">
      ${secAssess.issues.map(i => html`<li style="color: #E74C3C; margin: 2px 0;">${i}</li>`)}
    </ul>
  </div>` : html`<div style="background: rgba(22, 160, 133, 0.1); padding: 0.8rem; border-radius: 6px; border: 1px solid #16A085; color: #16A085; font-weight: bold;">All security checks passed for this deployment scenario.</div>`}
</div>`

28.7 Best Practices

✅ Test Across Devices: iPhones, Android phones behave differently ✅ Optimize Tag Placement: Avoid metal surfaces, test read range ✅ Use NDEF Standard: Ensures compatibility across platforms ✅ Provide Visual Cues: Show users where to tap ✅ Handle Read Failures: Network issues, tag damage, distance ✅ Secure Sensitive Actions: Require user confirmation for payments, access ✅ Monitor Tag Health: Check for corruption, physical damage

28.8 Videos

NFC Introduction

NFC Introduction

From Lesson 4 — NFC basics, passive vs active devices, and IoT use cases.

Decision Framework: Choosing NFC Tag Type and Memory Size

When deploying NFC tags for an IoT project, use this systematic framework to select the optimal tag type and memory capacity.

Step 1: Calculate Required Memory

Base NDEF overhead:

TLV header:           2 bytes
NDEF record header:   3-6 bytes (depends on payload size)
Type field:          1-3 bytes
Terminator TLV:      1 byte
-----------------------------------
Minimum overhead:    7-12 bytes

Common payload sizes:

Content Type	Typical Size	Example
Short URL	20-40 bytes	https://iot.co/a (prefix-compressed)
Full URL	40-80 bytes	https://company.com/product/12345
Text (short)	20-50 bytes	“Tap to connect to Wi-Fi”
vCard contact	80-150 bytes	Name, phone, email, company
Wi-Fi credentials	50-100 bytes	SSID, password, security type
Smart Poster	100-200 bytes	URL + title + icon reference
JSON payload	100-500 bytes	Structured device configuration

Formula:

Required memory = Overhead (12 bytes) + Payload size + Safety margin (20%)

Step 2: Memory Selection Matrix

Tag Type	Memory	Write Cycles	Cost	Best For
NTAG210	48 bytes	100,000	$0.15	Ultra-short URLs only (e.g., iot.co/x)
NTAG213	144 bytes	100,000	$0.20	Short URLs, simple text
NTAG215	504 bytes	100,000	$0.35	Smart posters, contacts, Wi-Fi
NTAG216	888 bytes	100,000	$0.50	JSON config, multiple records
NTAG424 DNA	416 bytes	200,000	$0.60	Secure applications (auth)
MIFARE DESFire	2-8 KB	500,000	$1.50	Complex applications, encryption

Step 3: Application-Specific Selection

Use Case 1: Smart Poster at Bus Stop

Requirements: - URL to real-time bus schedule: https://transit.gov/stop/12345 (32 bytes) - Title text: “Bus 42 Schedule” (17 bytes) - Overhead: 12 bytes - Total: 61 bytes

Decision: NTAG213 (144 bytes) - Provides 2.4× margin, adequate for future URL changes Cost at scale (1000 stops): 1000 × $0.20 = $200

Use Case 2: Home Automation Scene Trigger

Requirements: - Trigger Home Assistant webhook: http://192.168.1.5:8123/api/webhook/abc123 (48 bytes) - No updates needed (one-time write) - Total: 60 bytes

Decision: NTAG213 (144 bytes) - Cheapest option that fits Recommendation: Lock tag after writing to prevent accidental overwrites Cost (10 tags around home): 10 × $0.20 = $2.00

Use Case 3: Product Authentication (Luxury Watches)

Requirements: - Product serial number: 16 bytes - Cryptographic signature verification - Anti-cloning essential - Read by mobile app for authenticity check

Decision: NTAG424 DNA (416 bytes) - Only option with cryptographic authentication Why not NTAG213? Can be trivially cloned, worthless for authentication Cost (10,000 watches/year): 10,000 × $0.60 = $6,000 Value protected: $50M in inventory

Use Case 4: Conference Badge with Multiple Records

Requirements: - Attendee URL: https://conf.io/a/8472 (25 bytes) - Attendee name + company: “Jane Smith, Acme Corp” (25 bytes) - Session schedule JSON: 150 bytes - VIP access flag: 20 bytes - Total: 220 bytes

Decision: NTAG215 (504 bytes) - Provides 2.3× margin for adding sessions during conference Alternative: NTAG216 if multiple sessions need embedding (888 bytes) Cost (2,000 attendees): 2,000 × $0.35 = $700

Use Case 5: Industrial Equipment Maintenance Log

Requirements: - Equipment ID: 20 bytes - Maintenance history (append-only log): 500-800 bytes - Update 50-100 times over 10-year lifespan

Decision: MIFARE DESFire 2K (2048 bytes) Why not NTAG216? Write cycle limit (100,000) OK, but 888 bytes insufficient for 10-year log Cost (500 machines): 500 × $1.50 = $750 Benefit: Eliminates paper logs, integrates with CMMS

Step 4: Write Cycle Considerations

Write cycle limits:

Tag	Cycles	Daily Writes	Lifespan
NTAG213	100,000	1/day	274 years
NTAG213	100,000	10/day	27 years
NTAG213	100,000	100/day	2.7 years
DESFire	500,000	100/day	13.7 years

Decision rule:

• Read-mostly (updated <1/month): NTAG213-216 fine
• Occasional updates (1-10/day): NTAG213-216 fine
• Frequent updates (>50/day): Use DESFire or dynamic URL approach

Dynamic URL approach (recommended for frequently changing data):

Instead of updating tag content:
  Tag contains: https://api.io/t/8472
  Server provides: Real-time data at that URL

Benefits:
  - Zero write cycles consumed
  - Unlimited updates
  - Analytics (track taps)
  - Personalization (different data per user)

Tradeoff:
  - Requires network connection
  - Server dependency

Step 5: Security-Driven Selection

Security Need	Minimum Tag Type	Why
None (public info)	NTAG210/213	Cost-optimized
Write-protect	NTAG213 with lock	Prevent tampering
Password-protect	NTAG213/215/216	Basic access control
Anti-cloning	NTAG424 DNA	Cryptographic auth
Encryption	MIFARE DESFire	AES-128 encrypted storage
High-security	DESFire EV3	AES-256, FIPS 140-2

Cost vs Security Matrix:

Security Level →
  Low    Medium    High    Military
  |        |        |         |
$0.20   $0.35    $0.60     $2.50
NTAG213 NTAG216  NTAG424   DESFire EV3

Step 6: Final Checklist

Before purchasing tags, verify:

• Calculated payload size + 20% margin fits in chosen tag
• Write cycle requirements meet expected update frequency
• Security level matches data sensitivity
• Tag type compatible with target devices (iOS/Android)
• Cost at scale fits budget (quantity × unit price)
• Supplier is reputable (counterfeit tags common for DESFire)
• Consider dynamic URL approach for frequently updated content
• Test 10 samples before ordering 1000+

Common Mistakes to Avoid:

❌ Buying smallest tag to save $0.05 - Then data doesn’t fit ❌ Buying largest tag “just in case” - Wasting 2× on cost for unused memory ❌ Using NTAG213 for access control - Trivially cloneable ❌ Forgetting NDEF overhead - 70-byte payload needs 88-byte tag minimum ❌ Not testing iOS compatibility - Some tags work on Android but not iPhone ❌ Ordering from AliExpress without testing - 30% counterfeit rate for DESFire

Sample Order Strategy:

1. Order 10 samples of your chosen tag type
2. Program with actual NDEF data structure
3. Test on iOS and Android devices
4. Verify memory usage in deployed format
5. Test read range on target surfaces (wood, plastic, glass)
6. If successful, order full quantity

This approach saves money by catching issues before bulk purchase.

28.9 How It Works

NFC Tag Programming Flow

When you write an NDEF message to an NFC tag, the process follows these steps:

1. Tag Detection: Reader detects tag via anti-collision protocol (REQA/ATQA exchange)
2. UID Read: Unique 4- or 7-byte identifier confirms tag presence
3. Tag Type Identification: Reader checks SAK (Select Acknowledge) byte to determine tag type (NTAG213/215/216, DESFire, etc.)
4. Memory Access: Reader authenticates (if password-protected) and writes to user memory pages
5. NDEF Construction: Message structured as TLV (Type-Length-Value): 0x03 (NDEF TLV) + length + NDEF records + 0xFE (terminator)
6. Verification: Reader reads back written data to confirm integrity

Mobile Payments extend this with additional security layers: - Tokenization: Real card number (PAN) replaced with device-specific token - Dynamic Cryptogram: Each transaction generates unique, unreplayable code using AES-128 - Secure Element: Cryptographic keys stored in tamper-resistant hardware, isolated from main OS

The “tap and go” experience (< 500 ms) hides this complexity—NFC field powers tag, exchanges data, and completes transaction faster than a chip card insertion.

28.10 Concept Check

Quiz: NFC Implementation

28.11 Concept Relationships

Connecting NFC Implementation Concepts

Tag programming spans three platforms (Android/Python/Arduino) but uses identical NDEF structure—the same URL record written on Android can be read on any NFC phone. This interoperability is NDEF’s core value.

Mobile payments demonstrate security layering: tag-level (NFC’s 4 cm range), transport-level (tokenization + cryptograms), and application-level (biometric auth + Secure Element). No single layer is sufficient—security requires all three.

Smart home automation uses NFC as a trigger, not a controller. The tag stores a webhook URL or scene identifier; the actual automation logic runs server-side. This keeps tags simple (read-only, no battery) while maintaining flexibility (scenes can be updated without reprogramming tags).

Product authentication distinguishes NTAG213 (basic password protection, easily cloned) from NTAG424 DNA (AES-128 + Secure Dynamic Messaging, cryptographically unforgeable). For anti-counterfeiting, the 60-cent price difference between tags can protect thousands of dollars in brand value.

28.12 See Also

Related Topics

Implementation Guides:

• NFC IoT Integration - Gateway patterns and MQTT integration
• RFID Hands-on - Related contactless programming
• Bluetooth Applications - BLE pairing alternatives

Security Deep Dives:

• NFC Security and Comparisons - EMV payment security
• IoT Device Security - Secure Element architecture

Development Tools:

• NFC Tools App - Read/write tags on Android/iOS
• TagWriter by NXP - Advanced tag programming

28.13 Try It Yourself

Hands-On Tag Programming

Exercise 1: Multi-Record NDEF Message

Program an NTAG216 tag with a Smart Poster containing: - URL: https://example.com/product/123 - Title: “Product XYZ - Tap for Details” - Action: Open browser

Calculate NDEF size before writing: - URL record: ~35 bytes - Text record (title): ~32 bytes - Action hint: ~5 bytes - TLV overhead: ~8 bytes - Total: ~80 bytes (fits in NTAG216’s 888 bytes)

What to observe: Some phones auto-select the title text, others show “Open in Browser” button.

Exercise 2: Password-Protected Tag

Write a URL to NTAG213, then lock with password: - Set 32-bit password: 0x12345678 - Set PACK (acknowledge): 0xABCD - Configure AUTH0 (first protected page): 0x10 - Test: Reading still works, writing requires password

What to observe: The tag is now read-only to unauthorized users, but data remains visible.

Exercise 3: Dynamic URL for Analytics

Instead of static URL, use server-tracked shortlink: - Static: https://longdomain.com/products/category/item123 - Dynamic: https://short.link/p/A7X

Server logs each tap (timestamp, IP, tag ID) and redirects to product page. Tracks which products get the most taps in-store.

Tip: Use URL shorteners that provide analytics (Bitly, TinyURL with stats).

Matching Quiz: NFC Implementation Concepts

Ordering Quiz: NFC Mobile Payment Transaction

Common Pitfalls

1. Polling Too Aggressively for NFC Tags

Some NFC reader implementations poll continuously for tags, consuming significant power. Fix: implement adaptive polling that reduces frequency when no tags are detected and increases frequency only when user interaction is expected.

2. Not Handling RF Field Loss Gracefully

If a user removes an NFC tag mid-transaction, the reader’s RF field drops and the transaction fails. Fix: implement timeout and retry logic for multi-step NFC transactions and inform the user to keep the tag in range until the operation completes.

3. Using HCE for Payment Without Understanding Security Limitations

HCE stores card credentials in software, which is more vulnerable to extraction than a hardware Secure Element. Fix: use HCE only for non-payment NFC applications or where the card scheme (e.g., Visa/Mastercard) specifically certifies the HCE implementation for payment.

🏷️ Label the Diagram

💻 Code Challenge

28.14 Summary

This chapter covered NFC implementation and applications:

• Tag Programming: Write URLs, text, and custom data using Android, Python, and Arduino
• Mobile Payments: Tokenization and secure element architecture for Apple Pay and Google Pay
• Smart Home: NFC tags triggering IoT automation scenes
• Product Authentication: Anti-counterfeiting with encrypted NFC tags
• Security Best Practices: Encryption, authentication, and input validation

28.15 What’s Next

Chapter	Description
NFC IoT Integration	Gateway patterns, MQTT bridging, and hands-on ESP32/Raspberry Pi labs for NFC in IoT ecosystems
NFC Security and Comparisons	EMV payment security deep dive, relay attack analysis, and NFC vs BLE vs RFID comparison
NFC Communication Fundamentals	Review operating modes, tag types, and NDEF format foundations covered in the prerequisite chapter
RFID Hands-on and Applications	Related contactless technology programming and real-world RFID deployment patterns