How to Address MAC Randomization Today & The Future of Seamless Wi-Fi Access

In part one of this blog topic, How MAC Address Randomization Can Affect the Wi-Fi Experience, we discuss what MAC address randomization is and why it matters, especially now. Here in part two, we’ll dive into proposed solutions to solve challenges that are created by the looming proliferation of MAC address randomization. First, we'll share some of our latest research on Apple’s Private Address feature. 

The Latest Developments with Private Address in Apple iOS14

With iOS14 Beta 4 we see that random MAC addresses are still being generated for new and existing networks, however, these addresses are no longer changing on a daily basis. In discussions we’ve had with representatives from Apple they have been unable to confirm what the final behavior will be when iOS 14 becomes generally available, but have indicated that we should plan for them to rotate daily. In other discussions, partners have reported being told by Apple that the implementation of daily rotation will be delayed for up to a year. Apple’s latest update to their support article on the subject does not say anything about rotation and simply states that: “To reduce this privacy risk, iOS 14, iPadOS 14, and watchOS 7 use a different MAC address for each Wi-Fi network. This unique, static MAC address is your device's private Wi-Fi address for that network only.” 

Unfortunately, Apple has chosen to persist their “code of silence” on this change that could significantly disrupt the ability of hotel guests, college students, cruise passengers, apartments, and senior living residents, among many others, to connect to Wi-Fi. Without clear indication from Apple on what the changes will be, and without adequate time to prepare and communicate this change to support staff and users, network and venue operators will be left holding the bag for Apple’s last-minute decisions. Others have questioned whether Apple’s true motivation for these changes are really in support of user privacy or are being done to wrest even more control over advertising, payments, and identity. 

While it’s still unclear as to whether we will see regularly changing MAC addresses on Apple devices in one month or one year, what is clear is that it is time for the Wi-Fi ecosystem to finally address this dependence on what has always been an unreliable identifier. While we support the efforts being made by Apple to improve user privacy, we have concerns on how it will negatively impact the user experience and have built a set of tools to mitigate this. We also believe that the technology has been developed adequately to address both privacy and identity and has been actively supported by both Android and Microsoft, we are disappointed that Apple has lagged behind in supporting the Hotspot 2.0 (Passpoint™) Release 2 and 3 standards. 

Best in the Short Term: Detection & Education via the Captive Portal

The most immediate solution to this problem is to add “MAC randomization warning” logic into captive portals, which would make use of the device’s MAC address and web browser information in order to determine whether or not the MAC address has actually been randomized. Once the portal detects a randomized MAC address, it would display a message to the user. The messaging would be up to the strategic direction of the brand, but would effectively let the user know what the experience will be if they take no action and possibly provide device-specific instructions for how to change the setting back to having a consistent MAC address. Some operators may even choose to deny access to the network for those with randomized addresses. 

While this sort of technical messaging and potential added steps to get connected are no one’s idea of an ideal experience, a second downside of this approach is the perception it could give users on the operator’s stance on security and privacy. Messaging the user to turn off the Private Address feature could be perceived as a brand’s promotion of “tracking” and encouraging users not to use the most secure settings suggested by Apple. Despite these shortcomings, effective real-time detection and messaging is one way of helping users understand what’s happening and why.

In addition to doing some smart detection and providing real time feedback, hotel staff and support technicians should be equipped with the necessary information across the ecosystem, so that users can find quick answers to their questions. This isn’t the most elegant solution, but we believe it is the best short term option, given the reliance on MAC addresses in the Wi-Fi user experience.

Best for Brand Loyalty Programs: Auto-Authentication via Hotspot 2.0

Hotspot 2.0, also known as Passpoint™, is a Wi-Fi standard that streamlines network access using downloadable profiles. ElevenOS utilizes the Hotspot 2.0 specification to deliver a connected guest experience that is simpler, smarter, and more secure. All a guest has to do is download a profile once per device and every time they return or visit another supported location, they will be instantly and seamlessly connected. 

Because Hotspot 2.0 uses an installed profile instead of a device’s MAC address, it is unaffected by changes in MAC randomization behavior. We believe this solution is the future of Wi-Fi access and is best suited for brands that highly value customer loyalty and return visits, like those in the hospitality and retail markets, with benefits including:

  • Instant Connection: After installing a profile, it’s just like the experience you have when you walk into your home or office. Your device will automatically connect before you even take it out of your pocket.
  • Seamless Experience: With Hotspot 2.0, you don't have to open a web browser, enter a password in a login screen, or hunt for a network. The right network is automatically selected and you are seamlessly connected from place to place.
  • Secure By Design: Hotspot 2.0 was designed from the ground up to be the safest and most secure way to connect to public-access Wi-Fi, using WPA2 encryption for  enterprise-level security.


Best for Residents & Long-term Connectivity: Network Passphrases As Identifiers

Our new portal-free solution, called Personal Pass Key, is a great solution for the multifamily market. Instead of entering a username and password on a captive portal, each user is provided with a unique login credential, which we call a Personal Pass Key. Users access the wireless network by entering their unique key, which is provided as part of the network onboarding process. Instead of everyone using the same network passphrase, each user has a unique key, which also acts as their identifier. Personal Pass Key benefits include: 

  • Frictionless Experience: Once a user goes through the network initial enrollment process, accessing the Wi-Fi only needs to be done once per device and it is remembered just like a traditional home network is.  
  • Quick Adoption: By design, Personal Pass Key does not require users to change the behavior they’re used to when accessing Wi-Fi networks; they simply select their network SSID and enter their unique passphrase and are connected.
  • Enhanced Security: Traditional pre-shared keys have security flaws because many or all users access the network with the same key or passphrase; Personal Pass Key helps make users, devices, data and the network more secure.

The Bottom Line: Moving Beyond MAC Addresses

Beyond detection and captive portal messaging, the bottom line is that there is not much that can be done to “solve” MAC address randomization when it comes to Wi-Fi access. The fact that the ecosystem is so reliant on MAC addresses is unfortunate and shortsighted and is reminiscent of the Y2K bug that came from using two digits to represent the year.  It’s time for us to move beyond relying  on MAC addresses to remember devices for Wi-Fi access. With a WI-Fi management platform, like ElevenOS, businesses can future-proof their Wi-Fi strategy with evolving connectivity solutions.