What is a Prox Card? 125 kHz vs Smart Card vs Mobile

Prox Card

A proximity card, or prox card, is a 125 kHz RFID badge used in legacy access control. The card holds a fixed unencrypted ID number; the reader transmits an electromagnetic field that powers the card and reads the ID. Prox cards dominated commercial access control from the late 1990s through 2015 but are now considered legacy because the unencrypted ID can be cloned in seconds with a $35 tool. Modern installs use 13.56 MHz smart cards (MIFARE DESFire EV3, HID iCLASS SEOS) or mobile credentials, both of which use mutual authentication and encryption.

The short definition

A prox card has no battery and no smarts. Inside the plastic shell sits an antenna coil and a small microchip storing a fixed ID number. The reader emits a 125 kHz electromagnetic field; when the card enters the field, the antenna couples to it, the chip wakes up, and it transmits its ID back to the reader. The reader sends the ID to the controller via Wiegand or OSDP, the controller checks its database, and the door unlocks if the ID is on the access list.

Read range is typically 2 to 4 inches at the reader. The "proximity" in the name refers to that short range, not to anything special about the technology. Prox cards work because they're cheap (under $5 per card in volume), durable (no battery, no contact wear), and good enough for the threat models commercial security worried about in 1995.

Why prox is no longer secure

The 125 kHz prox protocol has three structural weaknesses.

Unencrypted ID. The card transmits its ID in the clear. Any 125 kHz reader can capture it.
No mutual authentication. The card doesn't verify the reader is legitimate before transmitting. A rogue reader (even a commodity Proxmark or Flipper Zero) gets the same ID a real reader gets.
Cloneable to a blank card. The captured ID can be written to a blank prox card or emulator in seconds. The clone presents identically at any reader.

Cost of attack: under $50 in equipment, 30 seconds of physical proximity to a card. The low barrier matters because credentials get left out in the open (lanyards, badges on desks, cards in wallets in coat pockets).

Smart cards: the modern replacement

Smart cards operate at 13.56 MHz and use cryptographic protocols that defeat the prox attack pattern.

MIFARE DESFire EV3. NXP's enterprise standard. AES-128 mutual authentication. Multi-application (badge plus print plus cafeteria). Common in office, education, and government.
HID iCLASS SEOS. HID Global's enterprise smart card. Backward-compatible with HID Prox during migration. Common where customers are upgrading existing HID infrastructure.
FIDO2 credentials. Newer category. The same hardware token also handles cyber MFA on workstations.

Smart cards plus modern multi-format readers (HID Signo, Allegion ENGAGE, Schlage Mobile-ready) read both prox and smart simultaneously, which is what makes the migration practical without flag-day cutovers.

The migration plan

Step 1: replace readers. Multi-format readers handle prox, smart, and mobile credentials. Capital expense. Roll out site by site over 6 to 12 months.
Step 2: issue new credentials to new hires. Smart cards or mobile credentials. Existing users keep their prox cards. Both work at every door.
Step 3: bulk-issue to existing users. Roll out smart card or mobile credentials to all existing users over 6 to 12 months. Provide training.
Step 4: sunset prox. Set a date 18 to 24 months out where prox stops working. Issue replacement smart cards on request to any holdouts.

When prox is acceptable

Two scenarios where prox can stay:

Low-sensitivity zones. Restroom doors, parking gates, gym entrances. The ID-clone risk doesn't enable meaningful harm. Prox is fine until natural reader replacement.
Short-term occupancy. Construction site trailers, temporary offices, event spaces. Prox works for 6-month deployments where smart-card lifecycle costs don't pay back.

Anywhere else, prox is a known security gap that should be on a 12-to-24-month replacement plan.

When to ask Tec-Tel about prox migration

Prox-to-smart migrations are reader-replacement projects with phased credential rollout. We'll inventory existing readers, scope the smart-card or mobile platform, and run the migration over 12 to 18 months without flag-day cutover. Free scoping call.

Frequent buyer questions

Are prox cards still secure?

No. The 125 kHz prox card transmits an unencrypted ID that can be cloned in 5 to 30 seconds with a $35 RFID copier (Proxmark, Flipper Zero, or any commodity tool). The format was designed in the 1990s when RFID cloning required specialized equipment. Today it doesn't. Prox cards are still common in deployed installs but should not be specified for new buildings or sensitive zones.

What's the difference between a prox card and a smart card?

Frequency and security. Prox cards operate at 125 kHz with an unencrypted ID. Smart cards operate at 13.56 MHz with mutual authentication and encryption (AES, 3DES). MIFARE DESFire EV3, HID iCLASS SEOS, and FIDO2 cards are smart cards. Smart cards can also store multiple credentials per card (badge plus print release plus cafeteria payment). Smart card readers can usually read legacy prox during migration.

What are the major prox card formats?

Three families dominate North American commercial. (1) HID Prox (HID Global), the most deployed; common formats H10301, H10302, H10304. (2) Indala (now HID), older but still seen at legacy installs. (3) AWID, EM4100, and others, often at lower-tier or non-US sites. Formats differ in bit length and parity, so a reader configured for one format won't read another without re-programming.

How do I migrate from prox to smart card or mobile?

Standard three-phase plan. (1) Replace prox-only readers with multi-format readers (HID Signo, Allegion ENGAGE Multi) that read prox plus smart plus mobile. (2) Issue smart cards or mobile credentials to new hires; existing users keep their prox cards. (3) Sunset prox after 12 to 18 months once most users are on smart or mobile. The reader replacement is the capital expense; the credential migration is gradual and low-friction.

Should I keep prox cards if my building has them?

Depends on threat model. Standard office with low insider risk and no regulatory mandate: prox is functional, replacement is optional. Buildings with cardholder data (PCI DSS), patient data (HIPAA), or compliance requirements (CMMC, CJIS, NERC-CIP): replace within 12 months. Buildings post-incident where credential cloning is suspected: replace immediately. Insurance underwriters increasingly ask about credential security; prox-only deployments may face premium increases.

Start with a free consultation.

Tell us what you're protecting and what's already in place. The Tec-Tel team reviews it and comes back with a written plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Book a free consultation 855-577-0400