MAC Randomisation: What You Need to Know to Maintain User Security & User Experience

By Chris Spencer, CTO, GlobalReach Technology

When Apple announced that it would be putting MAC randomisation in place in its keynote at WWDC 2020, it started to cause ripples through the Wi-Fi technology community. The iPhone MAC address feature is now available. Time enough for us to consider the implications and our advice.

I have been lucky enough to have access to the beta feature. That’s given us the opportunity to develop a guide to help our customers and partners to understand the impacts of this new development when it happens.

What is MAC randomisation?

MAC randomisation prevents listeners from using MAC addresses to build a history of device activity. Simply put, a randomised MAC address puts a privacy guard on a device. Any listeners can’t use your iPad, Mac, or iPhone MAC address to understand your activity and location. By doing this, your device’s security and privacy increase.

We don’t know when, but we suspect that Apple will universally release this feature close to the release of iOS 14 on all iPhones and iPads. It’s expected, but not yet implemented for users of its new operating system Big Sur affecting MacBook (Pro), MacBook Air and MacMini users. When you consider that 70-90% of all phone users have an iPhone 6Plus or a more recent device, this will be an issue for most public Wi-Fi users.

Random, Just how random?

Apple’s implementation of MAC randomisation uses a unique reserved range of MAC addresses, referred to as ‘Locally Administered Address Ranges’, comprising four unique ranges reserved for this type of application.


The second digit in the MAC address is the significant digit, and it will always be a 2, 6, A, or E, the rest of the MAC address is entirely random. So, just how random could that be? Well, if MAC addresses are 12 digits long and the second digit is reserved (for one of the four characters I mentioned above), the remaining 11 digits can be one of the valid 16 HEX characters.

16 x 16 x 16 x 16 x 16 x 16 x 16 x 16 x 16 x 16 x 16 or (16^11) = 17,592,186,044,416.

And remember there are 4 of those ranges, 2, 6, A or E so we have (16^11)x4.

So operating systems randomising the MAC address have over seventy trillion (70,368,744,177,664) MAC addresses they could make use of.

So, how random is ultimately down to Apple’s random generator, but we can see they have a large enough space to work with?

How’s this different?

Currently, iOS anonymises the MAC address during probe requests, but both platforms still use the true hardware MAC address when connecting to the network.

MAC randomisation completely overhauls the process.

    1. Devices generate a new private Wi-Fi MAC address per Wi-Fi network.
    2. It regenerates this MAC address every 24 hours.

Windows 10 has had an option to enable MAC randomisation for a few years now, but it is off by default and a user has to navigate to the correct menu and actively enable it.

Android is also testing changing MAC addresses more often, a developer option ‘enhanced MAC randomisation’ when enabled generates a new MAC address more frequently. This is currently a developer option and only available on a device used for development, but this shows where the industry is going to add more privacy features.

‘More privacy you say’ Sounds good to me. Well yes, but…

Let’s say you’re a business commuter, using the same three networks most days on your train journey, morning coffee shop, and office. Your behaviour was pretty predictable. This new feature wipes the device’s MAC history and every day is a clean sheet.

Industry and user impact

This is a significant change and will have a major impact on Wi-Fi authentication, data collection, and customer experience. The impact is slightly different depending on how your users are authenticated to a network, but all traditional authentication methods are impacted.

Your biggest concern should be the effect on the Wi-Fi user experience. Enterprises and operators typically want smooth, painless Wi-Fi registration and onboarding journeys to match their brand experience, to give them a communication channel and opportunity for customer engagement.

But when users are effectively forgotten every day, many of these methods will see considerable disruption, and potentially customer dissatisfaction.

Your second concern, if you’re a business that relies heavily on Wi-Fi analytics, will be the loss of user data. An organisation will be able to track customer behaviour within a 24-hour period, however, when the MAC address is wiped after this window, each device is treated like a new device every day. So returning customers can’t be identified or differentiated from first-time shoppers, passengers, or guests for example.

If you rely heavily on this data for your marketing database, MAC randomisation will markedly reduce your data.

If you’re a venue with a high returning footfall and you want to collect data about your users and customers, our advice is to make the move to Passpoint (Hotspot 2.0) Wi-Fi.

To understand why here’s our impact summary across the different user journeys:

Any onboarding journey with data capture 

When MAC randomisation is enabled any Wi-Fi registration process that requires form filling – or even simple email capture – will start from scratch every day. The device will appear as new, requiring the user to re-enter details like their email address and to confirm marketing opt-in and T&Cs acceptance (if these exist).

That’s a frustrating process and a backward step if you work from the same coffee shop most days, or have a gym membership, are a frequent flyer or have other loyal consumer habits.

One-time sign-up

Hmmm. This now becomes not so ‘one time.’

Again, because devices have been forgotten, they are treated like new devices every day, meaning that users will be required to re-register every 24 hours.

Plan or policy-based access

Any plan lasting longer than 24 hours will need the user to log in every 24 hours.

SMS, or token-based registration

Any codes sent to a user and not used within a 24-hour window will become obsolete.

Custom authentication journeys

Any journey where the MAC stores a code or other piece of information that verifies the user will be compromised by MAC randomisation.

The solution  

If you still want to communicate, engage, and understand your customers, the good news is that there’s a way forward using secure Passpoint (Hotspot 2.0). However, Passpoint may not be right for every venue now, and there are other options which, as Wi-Fi authentication experts, we’re happy to explain to customers and partners.

Wi-Fi onboarding options following MAC randomisation: MAC GlobalReach Technology

Wi-Fi onboarding options following MAC randomisation: GlobalReach Technology

The bottom line is that we see MAC randomisation as an opportunity for retailers, transport providers, cities, enterprises and other venues to leap forward in terms of security and user experience.

The table below shows which operating systems support MAC randomisation:

*1 A developer option called enhanced MAC Randomisation introduces time-based.
*2 Correct at the time of publication (macOS 10.16 is still in the beta phase).

We suspect (but don’t know for sure), that Apple will release the feature to iPhone and iPad users in September and Android in the next year. So there’s also time to mitigate the issue and put a better experience in place.

We’ve analysed and are consulting now on the best technical approach to manage this disruptive new feature.

Talk to your account manager or get in touch today.


Download our MAC Randomisation whitepaper here.