Counterfeit products are becoming increasingly sophisticated. Traditional security methods such as holograms, serial numbers, and QR codes are often no longer sufficient to protect high-value products.
This is why many brands are adopting NTAG424 DNA Dynamic URL Authentication, one of the most advanced NFC authentication technologies available today.
It is widely used for:
- Luxury goods authentication
- Cosmetics anti-counterfeiting
- Wine and spirits protection
- Pharmaceutical traceability
- Digital Product Passports (DPP)
- Certificates of Authenticity (COA)
- Electronics warranty authentication
- Collectibles and artwork authentication
But how does it actually work?
Why is it considered significantly more secure than a normal NFC tag or QR code?
This guide explains the complete authentication process, from the moment a consumer taps the NFC tag to the backend verification process.
What Is NTAG424 DNA?
NTAG424 DNA is a high-security NFC chip developed by NXP.
It supports:
- AES-128 encryption
- Secure Dynamic Messaging (SDM)
- Dynamic URLs
- Dynamic CMAC generation
- Secure backend authentication
- Anti-cloning protection
Unlike traditional NFC tags, NTAG424 DNA does not simply store a fixed URL.
Instead, it generates encrypted authentication data every time it is scanned.
The Problem with Static URLs
A standard NFC tag may contain:
https://brand.com/product123
Every tap returns exactly the same URL.
This creates a major security problem:
Read tag
↓
Copy URL
↓
Write onto another tag
↓
Counterfeit product created
This is why static URLs provide very limited anti-counterfeit protection.
The Core Idea Behind Dynamic URL Authentication
NTAG424 DNA creates a different authentication URL every time the tag is scanned.
Instead of:
https://brand.com/product123
The chip generates something like:
https://brand.com/auth?e=8A9B34F2&c=1C7D89E3
The next scan might become:
https://brand.com/auth?e=4D7A91B8&c=9F1E76D2
The URL changes continuously.
A copied URL quickly becomes invalid.
What Is Inside the Dynamic URL?
A typical NTAG424 DNA URL contains two encrypted parameters:
https://brand.com/auth?e=xxxxx&c=yyyyy
Where:
| Parameter | Meaning |
|---|---|
| e | Encrypted PICC Data |
| c | CMAC (Message Authentication Code) |
These parameters are generated dynamically by the chip.
What Is Encrypted PICC Data?
Encrypted PICC Data usually contains:
- UID (Unique ID)
- Read counter
- Other chip information
The data is encrypted using:
AES-128
This means nobody can understand or manipulate the information without the secret key.
What Is CMAC?
CMAC stands for:
Cipher-based Message Authentication Code
CMAC acts like a digital signature.
It proves:
- The message was generated by the genuine chip.
- The message has not been modified.
Even if someone knows the URL format, they cannot generate a valid CMAC without the secret key.
Dynamic URL Authentication Workflow
The process is surprisingly simple from the consumer’s perspective.
Tap NFC Tag
↓
Tag generates encrypted URL
↓
Phone opens browser
↓
Authentication server verifies data
↓
Authentication result displayed
The entire process usually takes less than one second.
Step 1: Consumer Taps the Product
The NFC-enabled smartphone powers the NTAG424 DNA chip.
The chip immediately generates:
- Encrypted PICC Data
- Dynamic CMAC
- Dynamic URL
No battery is required.
Step 2: Browser Opens Authentication URL
Example:
https://brand.com/auth?e=xxxxx&c=yyyyy
The phone automatically opens the URL.
No app is required.
This is one of the biggest advantages of NTAG424 DNA.
Step 3: Backend Server Receives the Data
The server receives:
e=xxxxx
c=yyyyy
The server also knows:
- AES keys
- Authentication rules
- Product database
Step 4: Decrypt the PICC Data
Using the AES key, the server decrypts:
UID
Read Counter
Tag Information
The server can now identify:
- Which product is being scanned
- How many times it has been scanned
- Whether the data looks legitimate
Step 5: Verify the CMAC
The server recalculates the CMAC.
If:
Calculated CMAC
=
Received CMAC
the authentication succeeds.
If not:
Authentication Failed
Why Counterfeiters Cannot Clone the Tag
Counterfeiters face several problems.
Problem 1: AES Key Is Secret
The AES key is never exposed.
Without the key, they cannot:
- Generate valid encrypted data
- Generate a valid CMAC
- Produce a valid authentication URL
Problem 2: Dynamic Read Counter
Every scan increases the read counter.
Example:
Scan #1 → Counter 1
Scan #2 → Counter 2
Scan #3 → Counter 3
A copied URL will usually contain an old counter value.
The server can detect replay attacks.
Problem 3: Dynamic URL
The authentication URL constantly changes.
Copying yesterday’s URL is useless today.
Example Authentication Flow
Luxury Bag
↓
Consumer taps tag
↓
Dynamic URL generated
↓
Backend verifies
↓
Display:
✓ Genuine Product
Detecting Suspicious Activities
Because every scan is unique, the system can identify:
- Excessive scans
- Geographic anomalies
- Grey market products
- Replay attacks
- Counterfeit attempts
Example:
Product sold in France
↓
Scanned in Asia 30 minutes later
↓
Flag suspicious activity
Authentication Result Page
The server may display:
- Genuine product confirmation
- Product image
- Serial number
- Manufacturing date
- Warranty information
- Ownership registration
- Product history
- Sustainability information
This creates a rich consumer experience.
Why Dynamic URL Authentication Is Better Than QR Codes
| Feature | QR Code | NTAG424 DNA |
|---|---|---|
| Dynamic URL | No | Yes |
| Encryption | No | AES-128 |
| Anti-Cloning | Poor | Excellent |
| Replay Protection | No | Yes |
| Hidden Integration | No | Yes |
| Consumer Experience | Good | Excellent |
Industries Using Dynamic URL Authentication
Luxury Goods
- Handbags
- Watches
- Fashion accessories
Cosmetics
- Premium skincare
- Perfumes
Wine and Spirits
- Wine authentication
- Limited editions
Pharmaceuticals
- High-value medicines
- Medical devices
Electronics
- Warranty authentication
- Product verification
Collectibles
- Certificates of authenticity
- Limited editions
Recommended NTAG424 DNA Products
Typical Product Formats
NTAG424 DNA Anti-Tamper Labels
Ideal for:
- Cosmetics
- Pharmaceuticals
- Electronics
NTAG424 DNA Hang Tags
Ideal for:
- Luxury fashion
- Shoes
- Accessories
NTAG424 DNA Wine Labels
Ideal for:
- Wine
- Spirits
- Premium beverages
NTAG424 DNA Authentication Cards
Ideal for:
- Warranty cards
- Certificates of authenticity
Frequently Asked Questions
Does Dynamic URL Authentication require an app?
No.
The URL can open directly in the phone browser.
Can someone copy the URL?
They can copy it, but they cannot generate a valid future authentication request.
Can NTAG424 DNA be cloned?
The combination of:
- AES-128 encryption
- Dynamic CMAC
- Dynamic read counters
- Secure Dynamic Messaging
makes cloning extremely difficult.
Does every scan generate a different URL?
Yes.
This is the core security feature of NTAG424 DNA.
Final Thoughts
NTAG424 DNA Dynamic URL Authentication combines:
✅ AES-128 encryption
✅ Dynamic URLs
✅ Secure Dynamic Messaging (SDM)
✅ Anti-replay protection
✅ Consumer-friendly smartphone interaction
✅ Powerful analytics and traceability
Instead of simply storing information like a traditional NFC tag, NTAG424 DNA proves authenticity every time a product is tapped.
This is why it has become one of the most popular NFC technologies for:
- Luxury goods protection
- Product authentication
- Anti-counterfeiting
- Digital Product Passports
- Secure consumer engagement
For brands looking to build a future-proof authentication platform, NTAG424 DNA dynamic URL authentication provides one of the strongest and most practical solutions available today.

Do RFID is a leading China-based manufacturer with over 15 years of experience. We specialize in customized RFID readers, tags, and cards, delivering high-quality, tailored solutions that meet your unique business needs and drive seamless, efficient identification.