Although MAC Randomization has been around for a few years, it has really grown in popularity with the beta version of Apple iOS 14 update because it’s a default enabled setting. MAC Randomization could be a revolutionary step for user privacy, but also introduces a few issues.
This article covers MAC Randomization, its strengths and weaknesses, and how to overcome those weaknesses.
What is MAC Randomization?
In order to understand MAC Randomization, it’s important to know exactly what a MAC address is in the first place.
What is a MAC address?
A Media Access Control, or MAC, address is a string of random digits and letters that serve as a unique identifier for a device. With the MAC address, network owners can not only verify connecting users, but enforce network policies and determine access levels.
MAC addresses are given to devices when they’re manufactured and are static, up until MAC Randomization came onto the scene.
So, what is MAC Randomization?
In short, MAC randomization is when your device’s operating system creates a random MAC address and uses it instead of the original one when connecting to a network. The point of MAC randomization is to protect devices from being tracked by network providers.
Back in 2014, the first iteration of MAC randomization was featured in Apple’s iOS 8 update and was subsequently adopted in some form by other operating systems. It was used when a device was scanning for access points or SSIDs, but the original address was then used once the device connected to a network.
Fast forward six years and Apple’s iOS 14 beta version has MAC randomization as a default enabled setting when scanning for access points AND connecting to a network. This isn’t new as Android released this feature with their Android 10 update back in 2019.
However, what is different with iOS 14 is the method of rotating the randomized MAC address every 24 hours. The network will never know the true identity of the device, instead seeing a temporary address that changes daily. And this feature is where concerns have been raised.
Potential Issue with MAC Randomization
While this feature is revolutionary for security, it can be detrimental to user experience.
Devices with the MAC address rotation will require their users to log back into the network every 24 hours, possibly more if that user leaves and returns to the Wi-Fi range often. While that may not seem like a big deal, it’s a major annoyance for sysadmins and users with multiple devices. Imagine having to remember and input several usernames and passwords every time you enter the office.
This can be a major disruption for network owners when onboarding new and guest users. The first time logging in won’t be an issue, but the subsequent logins can become a strain. Network users will get annoyed having to log in to the Wi-Fi every time, and then they’ll start bugging the IT team to do something about it (you know it’s true).
Plus, other operating systems are implementing MAC randomization in their own way, making it harder for admins to onboard user devices. So what can be done to counteract this?
Hotspot 2.0 Solves MAC Randomization Network Identification
Hotspot 2.0, or Passpoint as it’s commonly referred to (though not exactly the same), is one potential solution to the MAC randomization issue. The purpose is to allow users to roam between different Wi-Fi networks when traveling and transition from network to network without interruptions or switching to cellular data. This is commonly an issue for students on a college campus or people traveling through an airport.
Is Passpoint Secure?
Absolutely! Passpoint was developed by the Wi-Fi Alliance, a non-profit organization dedicated to maintaining wireless security. Passpoint adheres to the 802.11u specifications and is only compatible with devices that support the EAP authentication protocol. In fact, Passpoint is supported by most operating systems.
But how does Hotspot 2.0 / Passpoint fix the MAC randomization problem? By installing a Passpoint User Profile on to a device, you can now tie user information (email address, job title) with a network connection. This eliminates the reliance on the MAC Address being the sole source of identifiable information, as every network connection will have an email address associated with it, which admins can easily see with a Passpoint solutions provider like SecureW2.
Install Passpoint & Hotspot 2.0 User Profiles Easily with SecureW2
Network owners can install a profile onto every device by integrating their networks with SecureW2’s Passpoint Device Configuration platform. New and guest users can quickly gain network access with our JoinNow onboarding software that only requires users to log in once during setup. Once complete, onboarded devices will automatically connect to the network because our onboarding software equips every device with a digital certificate that identifies them.
With MAC Randomization, users will have to log in to the network every 24 hours, which is a massive pain for admins and end users. Configuring your network for certificate-based authentication and Passpoint Wi-Fi will make that problem fade away. Integrate your network with SecureW2 PKI solutions to eliminate over-the-air credential theft and automate device onboarding.
SecureW2 has been providing fast and secure network access via certificates for years. We are industry forerunners in adopting new technology, including Passpoint and MAC Randomization. Click here to see our affordable pricing.