Addressing MAC randomization—the case for Passpoint in the hospitality industry

MAC address randomization challenges in hospitality

The captive portal is a hack.

In the hotel space, a captive portal has always been a necessary evil as it is considered the only way to grant access to guests while minimizing obstacles to connectivity. Hoteliers need a secure, reliable way of identifying guest devices to ensure adequate quality of service to their most loyal guests while minimizing abuse. Guests want transparent, reliable and responsive Wi-Fi connectivity that is at least equivalent to their Wi-Fi connectivity experience at home.

Until today, the hospitality industry has relied on MAC authentication via captive portal to deliver repeat Wi-Fi access to their guests. While this method comes with serious security shortcomings, it has provided a good user experience and allowed properties to effectively monetize the guest connectivity experience.

With the rise of headless Wi-Fi devices such as gaming consoles, smart watches, streaming media playout devices and other IOT devices, onboarding these devices onto a guest network is cumbersome at best. At the same time, stronger attention to privacy has led mobile device vendors such as Google and Apple to strengthen their anonymization by introducing features such as MAC address randomization. MAC randomization has the potential to disrupt the user experience in hospitality environments. When devices no longer have a static MAC address, the network will not recognize them when they attempt to connect to the network. This is especially problematic when the guest has paid for Wi-Fi access. Where the MAC address is used as the basis for tailoring the user experience during the course of the guest’s stay, this will also hamper the ability of hotels to realize revenue opportunities.  

The time is ripe to move away from the captive portal hack to a more standards-based approach.

Hospitality industry perspective

Passpoint® (or Hotspot 2.0 or 802.11u) has long been of interest primarily to network operators and secondarily to hospitality stakeholders. Passpoint provides guests with a completely seamless and secure connectivity experience and paves the way for additional feature sets such as room-based private area networks and tiered bandwidth levels based on loyalty program membership level. To the hotelier, Passpoint is an opportunity for guest loyalty and direct monetization.

Obstacles to Passpoint adoption in the hospitality industry

Passpoint reliance on multiple components and services for network connectivity

Passpoint relies on several distinct components (RADIUS, Certification Authority, User Database, Profile Originator) as well as third-party services and roaming agreements working together smoothly to support network connectivity. Should there be a failure in one component, guest connectivity may fail altogether, which would increase guest complaints and impact GSS scores.

There are already industry initiatives, such as WBA OpenRoaming and Google Orion, that take over the burden of effort by pre-packaging all the services needed as well as handling all roaming partnerships and payment exchanges into a simple platform. Hoteliers simply plug their existing Wi-Fi infrastructure into one or several of these brokers to start profiting from Passpoint.

In the case of onboarding loyalty members, an all-encompassing secure network access platform such as RUCKUS® Cloudpath® Enrollment System connects to an existing loyalty rewards program database and handles all aspects of Passpoint onboarding and maintenance.

Passpoint device support

Passpoint is supported by the major operating systems (Google Android, Apple iOS and MacOS, and Microsoft Windows) but there is almost no support for Passpoint on consumer devices such as gaming consoles or streaming media devices. We expect this to change in the near future with the introduction of Wi-Fi Vantage device certification by the Wi-Fi Alliance, which requires support for Passpoint.

Network onboarding complexity

Onboarding a device using a captive portal uses a simple web browser as the interface and readily available identity information such as room number, last name, email, etc. Conversely, Passpoint requires authentication using loyalty rewards program credentials (username/password) that may not be readily available. Also, the installation of a Passpoint profile, although straightforward on most platforms, will be unfamiliar to the user and may appear intimidating. We expect this complexity to be considerably reduced by integrating device enrollment as a feature in the loyalty mobile app.

Guests are used to hotel captive portals

Finally, but most importantly, users have become accustomed to using captive portals to connect to public Wi-Fi networks. Any radical deviation from this norm could raise suspicion about their privacy and the trustworthiness of the network.

The solution to MAC address randomization challenges for hospitality

The long-term solution is to implement Passpoint. However, jumping straight (and only) to Passpoint might not be the ideal solution due to the challenges already discussed, so a phased implementation would be preferred. This gives guests the opportunity to adapt and ensures that client devices are ready for a full Passpoint rollout.

Step 1—deploy dynamic pre-shared keys

The first step is to provide guests with a unique identifier for their devices that does not rely on their device MAC address. To keep things simple, we suggest using dynamic pre-shared keys (DPSK). This feature creates a PSK[1] for each user that is presented to them via the existing captive portal or sent via email prior to arriving at the property. The user would then connect all their devices to a secure Wi-Fi network using this unique PSK. This is an intuitive and familiar process for the guest as it is identical to their experience on their home network. They can onboard all their devices using the PSK since PSK is supported by all Wi-Fi devices.

Using a unique DPSK for each guest allows further flexibility such as tiered bandwidth plans based on loyalty status or booked room type. It is also safer for the guest since they connect to a secure, encrypted network. Since the DPSK is unique to that guest, it can be deleted on guest check-out to ensure there is no abuse of the Wi-Fi network by non-guests.

Step 2—deploy a Passpoint network

We now want to tie in with the brand loyalty program and loyalty mobile app. This is where we would deploy a Passpoint network. Passpoint provides a smoother connectivity experience to the guest and enables cross-brand connectivity without having to manually select the Wi-Fi network at each property. The guest simply logs into the mobile app—during booking or while already on-site—and is presented with the option to enroll in automatic Wi-Fi connectivity. By accepting, guests will be connected immediately and securely to any Wi-Fi network within the brand group, even while their smartphone is still in their pocket.

At this stage, the brand or property can even opt to monetize their Wi-Fi network by registering with a cellular roaming broker. This would allow cellular operators to buy Wi-Fi access from the property to offload their cellular users to the hotel Wi-Fi network.

Step 3—further enhance the hotel guest connectivity experience

With DPSK and Passpoint we now have full authentication and encryption of all our guests’ Wi-Fi devices. This opens the door to further enhance guest connectivity through PMS tie-ins—allowing guests to create their own private area network between their multiple devices and allowing them to interact directly with in-room devices such as TVs and HVAC controls. Furthermore, this opens the possibility to provide light guest tracking ability for contactless F&B deliveries.

Benefits to migrating from captive portals in the hospitality industry

Such a gradual approach to migrating away from the captive portal minimizes shock factor, which will increase the take-up rate of alternative, secure and scalable authentication methods. It also helps by staggering cost and resource investment while getting a quick ROI.

Secure network onboarding increases guest willingness to use the network, which in turn will result in more detailed, relational analytics helping you understand the relationship between your brand and different guest profiles, whether based on demographics, loyalty-driven vs. OTA-driven or even different loyalty tiers.

[1] Q: What is a PSK? A: Think of your own Wi-Fi network at home; do you need a password to connect? That password is called a PSK or pre-shared key.