LEAF Verified brings modern cryptographic security to physical credentials, built on NXP's MIFARE DUOX® technology. The same public key foundation as Aliro™, with no shared secrets and no vendor lock-in. Designed for scale and open to everyone.
No LEAF membership required.
.png)
LEAF Verified is the breakthrough access credential built on NXP's MIFARE DUOX® technology that delivers enterprise-grade security while removing operational complexity. Using public-key cryptography, LEAF Verified eliminates the burden of managing encryption keys—simplifying interoperability and enabling seamless deployment across any compatible LEAF Community device.
For as long as the industry has existed, credentials and readers have relied on the same fundamental approach: symmetric cryptography — shared secrets distributed across every device in the system. The industry is now moving to public key cryptography — the same public key infrastructure that secures digital drivers licenses and encrypted communications.
LEAF Verified is built on open standards, using the same modern public key cryptography found in online banking and Aliro. Your credentials work across any compatible device from any manufacturer. No proprietary lock-in. No vendor dependency.
Most access control deployments stay installed for over a decade. LEAF Verified is built on the same foundation as Aliro, so the credential you choose today stays relevant for the life of the system.
Each credential carries its own private key. Compromising one card affects only that credential - your entire fleet remains secure.
Every credential includes NDEF with a configurable dynamic URL — giving your access control software provider the capability to build self-service enrollment, provisioning, and onboarding workflows with a single tap.
LEAF Verified is built on open standards: ISO 14443, ISO 7816-4, and X.509 PKI. No proprietary middleware, no vendor-specific APIs. Your platform verifies every LEAF Verified credential with the same integration.
Retrieve credentials via API calls into your platform, enable QR code scans for fast downloads, or use NDEF tap-to-phone redirect. A single manifest system that adapts to your workflow.
Every credential supports NFC Data Exchange with a configurable dynamic URL redirect, providing the foundation for you to build custom enrollment, provisioning, and onboarding workflows within your platform.
Every LEAF Verified credential uses the same certificate structure and verification flow — no per-vendor integration work.
.png)
The cryptographic building blocks required to support LEAF Verified are the same ones required for Aliro. Supporting both means implementing one crypto stack, not two. Open-source documentation makes integration straightforward.
Device onboarding documentation and reference implementations - publicy available.
LEAF Verified uses the same elliptic curve cryptography as Aliro. While Aliro requires mutual authentication — a fundamentally different protocol — the shared ECC P-256 primitives mean less net-new cryptographic work on your roadmap.
Shape the credential roadmap alongside other industry leaders — your input drives what comes next.
Built on open standards (ISO 14443, ISO 7816-4, X.509 PKI) with no vendor-specific software required. Everything you need is included with the credential.
.png)
With LEAF Verified, you never distribute secret keys to readers. No SAM cards. No key ceremonies. No site visits to rotate keys. Every credential carries its own certificate, and the reader verifies it cryptographically on the spot.
Credential manifest enables bulk digital enrollment - what used to take manual card-by-card entry becomes a single import.
No vendor-specific profiles to load, no config apps to manage, no per-project device setup. Readers work out of the box with any LEAF Verified credential.
Works across any LEAF Verified compatible reader. Choose your hardware without being locked into a single credential vendor.
LEAF Verified & Aliro aren't competing - they're the two halves of the industry's transition from symmetric to public key.
What's Inside
> The Public Key Revolution
> Silicon vs. Credential vs. Community
> What Is Aliro — And What It Isn't
> Better Together: The Complementary Model
> Common Questions & FAQ
MIFARE DUOX is NXP's contactless IC technology: the silicon. It provides powerful cryptographic capability but, on its own, has no application, identity, or ecosystem. LEAF Verified is what DUOX becomes when it is securely provisioned through a direct partnership between NXP and LEAF, starting at the wafer level. Think of DUOX as the raw material and LEAF Verified as the finished, deployable product.
Every credential carries a guaranteed unique 12-digit Open ID and a LEAF Certificate that enables any compatible reader to cryptographically verify authenticity. Authentication happens on the spot using public-key cryptography. No shared secrets are ever exchanged.
No. LEAF Verified is built on open standards (ISO 14443, ISO 7816-4, and X.509 PKI) using the same ECC P-256 cryptography as Aliro. Integration documentation is being open-sourced so any reader manufacturer can add support, and the LEAF Community's Product Committee governs the credential's evolution.
No. They solve different problems for different form factors. LEAF Verified is a physical credential product for passive media like cards and fobs. Aliro is a protocol for connected digital devices like smartphones and smartwatches. They share the same cryptographic foundation (ECC P-256) and are designed to complement each other.
While you can buy raw chips, a blank DUOX chip is just a component with no identity, no certificate, and no ecosystem. LEAF Verified delivers a turnkey, ready-to-deploy product with wafer-level provisioning, PKI infrastructure, enrollment tooling, and ecosystem support. Building this from scratch would require developing your own PKI, encoding pipelines, API integrations, and ongoing lifecycle management.
Ready to experience LEAF Verified firsthand? Complete the form below to request a sample and take the next step toward advancing security, interoperability, and user experience.
No matter where you sit in the access control ecosystem — enterprise security, software, hardware, or integration — we’re ready to collaborate.
.png)
