Enabling an online connection while users are away from their home networks has been a challenge for those that want a complete and efficient system. The use of mobile data is too expensive overtime, and the restrictions of hotspots limits mobility.
In response, the Wi-Fi Alliance developed Passpoint, a shortcut for mobile authentication. The Passpoint protocol relies on identifying information from the user being sent automatically to securely authenticate them as they travel and change locations. Since its inception in 2012, Passpoint has had different variations that add new features to this dynamic protocol.
To deploy Passpoint r1, it’s recommended to use a Captive Portal/Walled Garden onboarding workflow to ensure a secure and accurate configuration of necessary settings. Once configured, users’ mobile devices will be configured for EAP authentication to the WPA2-Enterprise protected network.
There are several EAP methods you can be configured for with varying results in terms of security. Users can be identified by Passpoint using either SIM card identification, username and password credentials, or a digital certificate. When it comes to authentication security, none can match the attributes of certificate-based authentication.
Certificates utilize public key cryptography, effectively thwarting any attempts at an Over-the-Air Credential Theft attack. Additionally, the user does not have to remember a password or reset it at given intervals; certificates are imprinted with the user’s identity and have lifetimes that often last multiple years.
In the past, certificates have been difficult to configure and distribute effectively to users. SecureW2’s JoinNow solution provides an easy-to-use onboarding client that can be completed in minutes and results in guaranteed accurate Passpoint device configuration. And our managed PKI can integrate with any network infrastructure to distribute certificates to the entire network.
Once properly configured, the user is prepared to utilize Passpoint for mobile connection. The process without Passpoint requires the user to manually choose the network, enter their identifying information, and redo this process every time they need to reestablish a connection.
With Passpoint, the entire process is automated. The user’s device would be able to establish a connection with the wireless network with no user interaction and send the identifying information.
The second version of Passpoint establishes a connection with a service provider’s hotspots to create an enormous network for users to automatically connect. It allows the user to use Online Sign-Up (OSU) server verification (SecureW2 is a provider of OSU servers) to auto-authenticate and connect to a service provider’s entire network of hotspots.
Passpoint r2 automatically authenticates to wireless hotspots by utilizing Access Network Query Protocol (ANQP). This process uses metadata to process incoming network choices to establish a connection to relevant networks. The user can be authenticated using similar methods as Passpoint r1 while widening the scope of back-end servers that can be used. With Passpoint r1, you can use these servers: DHCPv4, AAA, DNS, and PPSMO Web. Passpoint r2 is compatible with the same servers, but expands its capabilities to include Subscription Remediation, OSU, Policy, and OCSP Responder.
A use case for Passpoint r2 that shows its relevance would be a commuter in the airport. In the past, if the commuter wanted to authenticate to hotspots, they’d have to manually choose the hotspot and send their authenticating information. And if they traveled within the airport and went out of range of the hotspot, they would have to redo the process to reestablish connection. This process is completely automated with Passpoint r2.
Although Passpoint r2 has been released since 2014, it has not had a widespread adoption compared to r1. Legacy devices are generally not compatible with the protocol, and Apple OS have not yet updated to include compatibility. As more service providers continue to add support and improve the protocol, it’s likely the adoption will become more extensive.
The Advantages of Passpoint
With the goal of answering the calls for wider mobile broadband service, Passpoint has excelled in efficient and secure connection for mobile users. It allows for users to get better wireless coverage and lower their mobile data use. And for travelers, they can rely on seamless wireless access while roaming.
For service providers, there is a significant cost savings in terms of infrastructure. Users are able to seamlessly move from one hotspot to another and rely on authentication from Passpoint. Also, it promotes customer loyalty to a particular service provider brand.
Lastly, organizations are amongst those that benefit the most from Passpoint. For example, imagine a hotel chain. If a business traveler visits your hotel in two cities, they will need to re-authenticate themselves both times and go through the entire process. With Passpoint enabled, that hotel chain could offer a loyalty program. A traveler within the program would be automatically authenticated no matter which hotel chain location they visited. Any organization could set up a similar system, whether it be for customers or their own employees.
The seamless connection provided by Passpoint benefits every party involved in the process. As Passpoint r2 is adopted by more of the market, users will be able to experience wireless connection nearly everywhere they go. And users authenticated with certificates are safe in the knowledge that their identity is protected by iron-clad cybersecurity. Check out SecureW2’s pricing page to see if our certificate solutions can enhance your Passpoint-enabled network.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Jake Ludin. Read the original post at: https://www.securew2.com/blog/passpoint-r1-r2-compared/