MAC Randomization: How to Maintain the Guest Internet Experience

What is the issue?

Wi-Fi hotspots today largely rely on the static hardware Media Access Control (MAC) address of individual devices as part of the authentication and onboarding process. However, this solution is about to be heavily disrupted.

In a push to better safeguard Personally Identifiable Information (PII) and to block the ability to track this data, operating systems such as iOS, Android or Windows are increasingly rolling out protective measures – the most disruptive being MAC address randomization. Until now, this has been an optional setting, but big players like Apple are expected to start activating it by default in the near future, triggering the rest of the industry to follow suit.

While users will enjoy more privacy, the trade-off is their devices will switch addresses and appear as “new” to Wi-Fi hotspots at regular intervals or with every SSID change, requiring re-authentication.

Obviously this type of experience will create frustrations, especially if the Wi-Fi registration process involves repeatedly filling out online forms or re-obtaining codes or tokens from a front desk, etc. Loyalty members will not be automatically authenticated. Internet purchases that span durations longer than the reset interval will end prematurely.

From the point of view of a hotspot provider, any back-end process that is based on using a MAC address – whether loyalty programs, internet purchase, marketing, operational, analytical, etc. – will also be affected.


Addressing the challenge

There is no one size fits all solution to this situation and each option comes with advantages and drawbacks. In this short article, we will cover two different potential approaches.

The Device Intelligence Approach

Some vendors propose resolving the MAC address randomization question through a device intelligence approach. This is typically done by building an identity for each device through network traffic observation via an on-site appliance doing port mirroring, combined with a Cloud platform.

The concerns with this method are multiple:

  • Contrary to privacy goals, user traffic is continuously scrutinized to build identity profiles for all devices accessing a network. This directly circumvents the very purpose of MAC randomization and is likely to trigger vendors implementing future safeguard measures that break this approach.
  • From a security point of view, this introduces a third-party listening device within the property’s private network, which then broadcasts usage information over the internet to a Cloud platform. This will raise red flags for many network managers, and generally organizations don’t allow the use of port-mirroring permanently. It is also worth mentioning this approach does not address other Wi-Fi hotspot security concerns related to authentication, encryption, rogue access points, etc.
  • Hardware-wise, this is only compatible with managed switches and has the potential of generating performance side effects, such as CPU stress, traffic latency, and bottlenecks. Many of the additional claimed benefits in terms of analytics (Quality of Service, suspicious behavior detection, etc.) are generally already available via the switches’ own management dashboards.
  • From a marketing angle, this does not allow a brand to use MAC address randomization as an opportunity to help increase its application’s adoption, and therefore its loyalty and upsell potential – or any of the other avenues that alternative options could open.

The Passpoint (Hotspot 2.0) Approach

Passpoint (Hotspot 2.0) is an industry-wide standard that allows devices to connect seamlessly to – and roam between – available Passpoint-configured Wi-Fi hotspots. Passpoint offers a “mobile-like” experience by removing the hurdle of finding, selecting and registering with public Wi-Fi networks, at the same time increasing security and privacy compared with traditional hotspots. In addition, Passpoint offers the revenue opportunity to take advantage of excess bandwidth capacity to offload mobile carrier networks’ traffic.

Subscribers follow a simple one-time onboarding process to download the required credentials and security certificates onto their mobile devices. From that point on, they automatically connect to Hotspot 2.0-capable networks without needing to do anything more. Moreover, authentications based on local profiles are not affected by MAC address randomization.

As a high-level summary, Passpoint enables:

  • Seamless, private and secure Wi-Fi access through a simple one-time onboarding process, followed by automatic connection and roaming within brand properties as well as other partner networks if desired.
  • A solution that is not affected by MAC address randomization and is in compliance with privacy and confidentiality standards.
  • Value-added services and upsell opportunities through safe integrations with back-end platforms for tailored content and entitlements, geofencing, operations, analytics, and more.
  • Mobile carrier network interconnections and data offload opportunities, which can lead to potential revenue for reselling properties’ spare Wi-Fi capacity.


In conclusion

MAC address randomization is an impending disruptive measure that is likely to become a real challenge for Wi-Fi authentication and loyalty programs in the near future. There is no simple out-of-the-box solution solving all use cases for every type of user or provider, and one should review the options based on individual context and long-term strategy. What is paramount is to consider the wider picture and to be wary of implementing non-standard solutions that are not in line with security and privacy best practices.

While Passpoint (Hotspot 2.0) is not for everyone, and other solutions exist – including using alternative authentication methods – it is a compelling industry standard approach that is opening new opportunities and that is worth considering.


Learn more about MAC Address Randomization