MAC Address Randomization: Is Passpoint the Solution or Just Part of It?
As MAC address randomization gets increasingly more aggressive with each OS release, network operators are investigating methods to replace the broader functionality of the MAC address, which today can be used for everything from authentication, to providing personalization and network troubleshooting. One proposed solution to aggressive MAC address randomization is using the industry standard Passpoint (also known as Hotspot 2.0). Another option is to use private PSK for every user. While these solutions have strengths, they are certainly not designed to support all the use cases that are affected by MAC randomization, and in many scenarios require considerable investment and integration efforts. On the other hand, there are solutions which can provide a 100% transparent user experience without affecting the network in any way or requiring the guests to be involved in any sense. Combined with Passpoint or PSK, this can the best way forward to overcome MAC randomization.
A Quick Passpoint Overview
The Wi-Fi Alliance (WFA) introduced Passpoint in 2012 with a goal to transform the Wi-Fi hotspot experience. The initial focus of the technology was to simplify roaming across networks and to enable shifting traffic off the cellular networks onto Wi-Fi. For the past eight years, Passpoint has effectively worked in the background to make this happen. To work, it requires credentials, typically in the form of a certificate, be loaded on the device for each network. For cellular offload that is an easy process because the cellular service provider can directly install the certificate on the device. For other networks, the user will have to take action to get the credential on the device. Overall, Passpoint is a highly secure method of user identification and authentication. However, the rollout beyond cellular offload has been limited and there is still significant variation in the process for different device types and service providers.
Passpoint as a Solution to MAC Address Randomization
Passpoint has been suggested as a solution to some of the problems caused by MAC randomization. For some applications, such as identification of loyalty users, it is a strong solution. This is particularly accurate when there is also a loyalty app that can abstract away some of the details of Passpoint certificate installation, at least on a phone. However, this does not cover the following scenarios:
- Occasional guests are much less likely to have the loyalty app on their device. They are also much less likely to install something on their phone or laptop for what is likely to be a short, one-time stay.
- The loyalty program customers, just like any customers, often use multiple devices. For business related stays, the guest might use a company-issued laptop or phone. Many corporate IT departments limit employee installation of third-party apps and certificates on company owned devices because of security concerns. This means the guest may have trouble accessing the network for work purposes, something that defies their reason for staying at the hotel.
- Many privacy-aware users, especially in the younger generation, are not willing to install Apps on their devices, as these are preserved with privacy and security concerns.
- Finally, there are emerging cost and time concerns from hotel brands about the complexity of the integration. Hence, a significant capital expense stands as another hurdle in the path of immediate Passpoint adoption, and many smaller brands may struggle to get Passpoint integrated in a timely manner. This is the case even more so in a post-COVID era where the IT teams of many brands have been diluted.
DPSK as a Solution to MAC Address Randomization
DPSK is a solution which was developed by CommScope and is seemingly patented by them. The idea is to provide each user with a different password, and then use that password for user identification. From a user experience perspective, not much changes from how things work today, which is a plus; however, there are two issues with this approach:
- Use of DPSK results in a vendor lockdown, as it is not broadly adopted by all AP makers and, consequently, its integration requires considerable resources and time, and
- DPSK is intended for user authentication rather than device authentication, so if a network administrator wants to limit the number of devices connected per user, or enforce certain policies for individual devices, this is not the best fit.
The Need for a Complementary Solution
While both Passpoint and DPSK are valid solutions to some of the issues facing the industry. However, there are many scenarios that they do not cover, and they are not the best fit for all brands. The industry needs a solution that maintains, or even improves, users’ network experiences, while protecting user privacy and eliminating any impact of MAC randomization on current network services. The industry needs a solution that can work behind the scenes and be transparent to the user, while still allowing accurate device and user identification. Something that can be deployed without having every user to take a multiple step action on their device(s). This solution must work together with existing infrastructure, and support all devices, personal, work or IoT, wired and wireless. A solution that does require considerable human and financial resources.
While such a solution seems too perfect to exist, but in fact it can be achieved by adopting passive authentication techniques. Passive authentication is the process of passively analyzing many characteristics of how a device communicates on the network and creating a unique model (identity) for the device based on that information, without requiring anything from the device, or modifying it in any sense. The device identity is the model of how the device communicates and it uniquely identifies the device. If passive authentication solutions can work in a real-time manner and offer accuracy and reliability, they can transform how devices are identified in hospitality networks. Passive solutions require zero involvement from hotel guests. The ID is generated and maintain within the network. It can be network specific, increasing security and privacy. LEVL is an example of a company which delivers such a solution that paves the path to create a device identity solution that is privacy-friendly, accurate, and easy to deploy.
Daniel Zahavi is the co-founder and CEO of LEVL. He is one of the inventors of the LEVL-IQ platform for device intelligence and identity and has published multiple papers on secrecy and performance of wireless networks.