I am getting the uid of a NFC tag by sending and receiving APDUs from the card. Storing them in a database. While loggin in I am comparing the logged in user tag id with the database for authentication. That works but Is this the right way of NFC authentication as per standard security policy? I am bit confused as PKI involves certificate handling and bind users with public keys.
Using the UID for authentication is not a good idea, since it is world-readable and anyone could copy it and use it to program one of the cards that allow it. Some contactless devices generate a different random UID every time they are powered up.
There are lots of alternatives, like these two quite simplistic ones:
Use one of the standard secure channels (SCP02, SCP03) to perform mutual authentication card-reader and then send the identifier. Each card would have to be provisioned with a set of symmetric keys (3DES or AES in the cases above), and the reader with the means to derive them from some card unique identifier.
Use public-private keys. You could for instance store the private key in the card at enrollment time, then for authentication use it to sign a challenge issued by the reader + some ID linked to the public key in a certificate.
Probably you can find much better ideas by looking around. Good luck!