Android 10, Android 11, and Apple iOS 14 devices use randomized MAC addresses when connecting to wireless networks to provide privacy for users. Within Cloud4Wi, the MAC address is used as unique identifier for users that subscribed using an account-less method like click-through. Due to the MAC address randomization, this one-to-one mapping is no longer true so returning users who originally subscribed before update their iPhone to iOS 14 might not be automatically recognized and this could end up generating multiple records per each person within the Cloud4Wi database.
For all new users, who subscribe to WiFi after having updated their iPhone, there is no impact on their experience and on the system performances.
The next sections show how MAC address randomization is implemented on mobile endpoints:
Google Android 10 and Android 11
- Randomization is enabled by default.
- When a user upgrades from a previous version of Android to Android 10 or Android 11, the saved Service Set Identifiers (SSIDs) will stay configured without randomization.
- Randomization can be set up per network profile (SSID).
- Once a random MAC address is used for a given network profile, the mobile device will continue to use the same random MAC address even after the user deletes the network profile and recreates the SSID/network profile.
- For more information on Android MAC randomization, see Privacy: MAC Randomization.
Apple iOS 14, iPad OS 14, and watchOS 7
- Randomization is enabled by default.
- When a user upgrades from a previous version of iOS to iOS 14, the randomization will be enabled for all of the existing SSIDs.
- Randomization can be set up per network profile (SSID).
- Once a random MAC address is used for a given network profile, the mobile device will continue to use the same random MAC address even after the user deletes the network profile and recreates the SSID/network profile.
Workaround/Solution
There is currently no large scale solution for the issues introduced by third-party MAC address randomization, only workarounds are available. Some WiFi vendors, allow to to configure the WiFi network to force the use of the real MAC Address by sending a specific WiFi payload attribute. Here an example of how this is done on Cisco Meraki. However, by using this option, the user device will mark the WiFi network as "less secure".
Detection & Education via the Captive Portal
While its is possible to disable MAC address randomization at a per-device level, notifying users to take this action creates additional friction. This sort of technical messaging and potential added steps to get connected are not an ideal experience, and a second downside of this approach is the perception it could give users on the brand's stance on security and privacy. Messaging the user to turn off the Private Address feature could be perceived as a brand’s promotion of “tracking” and encouraging users not to use the most secure settings suggested by Apple.
Collect users identity on the Splash Page (coming soon)
This option aims to to recognize returning users when using a click thorugh ("account-less") authentication methods on the Splash Page, by asking users to fill in some basic attributes such as the phone number. Cloud4Wi will search on the DB for records matching the set of attributes and if a match is found, the user will be associated with the existing account. For additional security, a contact verification method such as OTP via SMS can be enabled.
This tecqnique will allow to reconciliate also exisitng users that are coming back after having updated their OS to a version that uses MAC randomization. Once they verify their identity and being reconciliated with the existing account, the new randomized MAC address won't change anymore and they'll be seamlessly authenticated on their followign visits.
Empower mobile app users with seamless connectivity
Leveraging Cloud4wi Mobile SDK, brands can empower their mobile app to provide moobile users a secure and autaotmic WiFi connection upon arrival. Cloud4Wi uses a ocmbination of Passpoint and WPA2-Enteprise to make sure every smarphone can be enabled regardless of its support for the Hotspot 2.0 standard.
Auto-Authentication via Hotspot 2.0 (beta access)
Hotspot 2.0, also known as Passpoint™, is a Wi-Fi standard that streamlines network access using downloadable profiles. Cloud4wi utilizes Hotspot 2.0 specification to deliver a connected guest experience that is simpler, smarter, and more secure. All a guest has to do is download a profile once per device and every time they return or visit another supported location, they will be instantly and seamlessly connected.
Because Hotspot 2.0 uses an installed profile instead of a device’s MAC address, it is unaffected by changes in MAC randomization behavior. We believe this solution is the future of Wi-Fi access and is best suited for brands that highly value customer loyalty and return visits, like those in the hospitality and retail markets, with benefits including:
- Instant Connection: After installing a profile, it’s just like the experience you have when you walk into your home or office. Your device will automatically connect before you even take it out of your pocket.
- Seamless Experience: With Hotspot 2.0, you don't have to open a web browser, enter a password in a login screen, or hunt for a network. The right network is automatically selected and you are seamlessly connected from place to place.
- Secure By Design: Hotspot 2.0 was designed from the ground up to be the safest and most secure way to connect to public-access Wi-Fi, using WPA2 encryption for enterprise-level security.
Guest can be enrolled in within the Hotspot 2.0 experience via multiple channels:
- via Captive Portal: when user access WiFi via the Splash Page, the Access Journey will prompt them to enroll in this service by simply downloading a WiFi Profile
- via messaging: existing users can be invited to enroll in the new experience by sending them a message, such as a text message or email, with a simple link to download their WiFi profile.
- via text-to-join or QR code in-person experience: you can invite customers to text a keyword to a phone number to easily enroll in the service or you can invite them to scan a QR code that will offer them the same enrollment experience