Previously, Wi-Fi hotspots largely relied on the static hardware Media Access Control (MAC) address of individual devices as part of the authentication and onboarding process. To better safeguard Personally Identifiable Information (PII) and block the ability to track an individual device, there has been a move towards increased user privacy and more ethical data collection. Operating systems including iOS, Android and Windows have increasingly rolled out measures that support these safeguards. The most disruptive is MAC address randomisation. This article outlines what has changed as we enter 2022.
Until 2020, this was an optional setting that users could switch on. But now, with Apple leading the charge, the main operating systems activate this setting by default.
While people have more privacy, their devices will switch MAC addresses at regular intervals or with every SSID change and appear as “new” devices to Wi-Fi networks. At best, and depending on the login journey, this will require re-authentication each time the MAC addresses. At worst, it could be a frustrating routine of repeated form filling or requesting a new code or token from venue operators and staff.
Commuters are not remembered at their usual train station, their morning coffee shop, or even at their office. Loyalty customers will not authenticate automatically, and internet purchases that span durations longer than the MAC change interval will end prematurely.
If you’re a hotspot provider, any back-end process that relies on a MAC address – loyalty programs, internet purchases, marketing, operations, analytics, etc. – will also be affected.
Fig. 1 below provides the status of MAC address randomisation implementation across the major operating systems in January 2022.
iOS 15
MAC address randomisation is switched on per SSID by default for users. This sees a new device MAC address generated for use with every Wi-Fi network.
Android 12
The same user experience is true for Android 12 as iOS 15, but users can choose to rotate the device’s MAC address every 24 hours through their settings for extra privacy.
Windows 11
MAC address randomisation is off by default. Users can enable it within their Wi-Fi settings. Users also have the option to rotate the MAC address every 24 hours when manually switched on.
ChromeOS
Late in 2021, the ChromeOS development team stated that they were also working on MAC address randomisation, and will begin to introduce this feature in 2022.
Addressing the Challenge
There is no one-size-fits-all way to manage and mitigate the effects of these changes. However, two potential options are the Device Intelligence and the Passpoint approaches, which each see advantages and drawbacks.
The Device Intelligence Approach
Some vendors have chosen to build an identity for each device through network traffic observation via an on-site appliance for port mirroring, combined with a cloud platform. However, the concerns are:
- User traffic is used to build identity profiles for all devices accessing a network. This is contrary to the privacy goals of MAC address randomisation and could see vendors add future safeguard measures that will break this approach.
- It introduces a third-party listening device within the property’s private network which broadcasts usage data to a cloud platform. This raises red flags from a security point of view for many network managers, and few organisations allow the use of permanent port mirroring. Moreover, it does not address other Wi-Fi authentication, encryption, or rogue access point concerns, for example.
- Hardware-wise, this approach only works with managed switches and has the potential of generating performance side effects such as CPU stress, traffic latency, and bottlenecks. Many of the additional claimed benefits in terms of analytics such as quality of service, suspicious behaviour detection, etc. are generally already viewable via the switches’ management dashboards.
- A brand will not be able to use MAC address randomisation as an opportunity to help increase its application’s adoption. From a marketing point of view, this limits its loyalty and upsell potential – or other avenues that alternative options could open.
The Passpoint (Hotspot 2.0) Approach
Passpoint is a mature industry standard that allows devices to connect seamlessly to – and roam between – available Passpoint-configured Wi-Fi hotspots. It does not rely on MAC addresses or SSIDs.The standard is designed with user privacy and security at its core, and it’s a compelling way to future-proof compatible devices.
Using Passpoint provides a “mobile-like” Wi-Fi experience by removing the hurdle of finding, selecting and registering with public Wi-Fi networks while increasing security and privacy compared with traditional hotspots. In addition, it offers venues a revenue opportunity to take advantage of excess bandwidth capacity to offload mobile carrier networks’ traffic.
Following a simple one-time onboarding process that can be facilitated by mobile applications, users download the required credentials and security certificates onto their mobile devices. From that point on, connection to Passpoint-capable networks is automatic and authentications are not affected by MAC address randomisation.
Passpoint enables:
- Seamless, private and secure Wi-Fi access through a simple one-time onboarding task, followed by frictionless connection and roaming within branded venues and networks – and third-party partner networks if desired.
- A solution that complies with privacy and confidentiality standards.
- Value-added services and upsell opportunities through safe integrations with back-end platforms for tailored content and entitlements, geofencing, analytics and more.
- Mobile carrier network interconnections and data offload options, with the potential to resell properties’ spare Wi-Fi capacity.
The Good News
Although an impending and disruptive feature, solutions are available to mitigate the effects of MAC address randomisation. There is no simple out-of-the-box solution for every use case, It is crucial to consider the wider picture and to avoid non-standard solutions that veer from security and privacy best practices.
While Passpoint is not for everyone, and other solutions exist, it is a compelling industry-standard approach that is worth considering.
We are recognised Passpoint technology experts. Talk to us about your venue or network concerns.