Secure and Seamless Carrier Wi-Fi Services with Passpoint

One of the essential tools in the Wi-Fi toolbox is Passpoint® with SIM authentication. It enables seamless and secure carrier-grade quality and highly monetizable Wi-Fi services. The Wi-Fi 6 and Wi-Fi 6E radio technology, capable of delivering high-quality wireless connectivity, is an excellent starting point. But for service providers, such capabilities must be transformed into user-friendly, secure, well-defined, and preferably carrier-class high-speed wireless data services.

To that end, the Wi-Fi industry has developed the Hotspot 2.0 standard, nowadays more commonly referred to by its equipment certification name of Passpoint. Once provisioned on the phone or other Wi-Fi device, Passpoint technology allows users to connect securely, instantly, and automatically to the public (or enterprise) Passpoint-capable Wi-Fi networks, for example, at public venues such as airports, stadiums, transport hubs, on aircraft, and so on.

The Passpoint technology also facilitates roaming onto Wi-Fi networks belonging to other service providers or third parties, given that a roaming agreement with the subscriber’s home service provider exists. The WBA OpenRoaming initiative has the potential to make Wi-Fi roaming just as seamless for the user as roaming with cellular phones.

The Components of Passpoint

A Passpoint-capable network is defined by supporting the following functions:

• The network (Wi-Fi access point) should broadcast its capabilities and available services using 802.11u and a protocol called ANQP.
• The network must use 802.1x-based authentication and WPA2 or WPA3 for over-the-air encryption.
• Support for EAP-SIM/AKA (SIM identity-based) or EAP-TLS/TTLS (certificate-based methods usually for non-SIM devices) authentication.
• Optional Wi-Fi roaming with home operator billing.

A critical component is the capability of Passpoint services to deliver ‘Wi-Fi offload’-type services based on credentials stored in the subscriber’s SIM. This means mobile operators can integrate carrier Wi-Fi services into their total service offering. Read more about this in our Wi-Fi and Cellular Convergence – Opportunities Today post.

Passpoint is designed to create a carrier-grade Wi-Fi service with a familiar and seamless user experience like that of cellular networks. However, mobile operators can comfortably apply EAP-SIM/AKA authentication and mobile core integration outside the complete Hotspot 2.0/Passpoint specification. Aptilo Networks was already providing such solutions long before the release of the first Passpoint-capable devices. This also means that EAP-based authentication (SIM/AKA and TLS/TTLS) is not equivalent to Passpoint as such, which is a common misunderstanding.

In the USA, Passpoint-capable Wi-Fi services and roaming are fairly readily available, for example, on the Boingo Wi-Fi network deployed at many airport locations and on some public Wi-Fi networks provided by US cablecos, for instance, on the former Time Warner Cable public Wi-Fi network today owned and operated by Charter Communications. Today, both Android and iOS operating systems natively support Passpoint, and many phones provided by US carriers are pre-provisioned to support Passpoint services.

In Europe and elsewhere, Passpoint-capable Wi-Fi services are less common but available from some major carriers in the form of EAP-SIM/AKA enabled ‘Wi-Fi offload’ convergent mobile services. Most enterprise-grade Wi-Fi access points are certified according to the Passpoint specifications.

The Different Passpoint Releases

Passpoint exists in three sequential releases.

Release 1 (R1)

Passpoint was first introduced in 2012, bringing a new set of protocols and standards, including 802.11u and ANQP. These innovations allowed devices to automatically discover and connect to networks that support Passpoint, selecting the most optimal connection.

Nearly all modern mobile phones and laptops, including Apple iPhones (despite not being formally certified by Apple), support Passpoint Release 1 (R1). However, onboarding new devices remains a challenge. Users typically need to manually provision Passpoint R1 credentials by downloading a file that contains the necessary connection profile and credential information. While mobile operators can push these profiles to devices over-the-air (OTA), other service providers can streamline this process using an app. SDKs are available to help integrate this functionality into existing apps, making it seamless for users.

Release 2 (R2)

In 2023, the Wi-Fi Alliance removed Passpoint Release 2 (R2) from the standard due to the industry’s inability to secure support from Apple. The key feature of R2 was the Online Sign-Up (OSU) function, which allowed users to provision Passpoint profiles on an ad-hoc basis.

Although this feature might be reintroduced in a simplified form in the future, Passpoint profiles can currently be provisioned over the air, through an app, or via a third option—our pragmatic approach using a portal and the Captive Portal API.

Passpoint R2, released in 2014, included the now-discontinued OSU server. This feature enabled new users to create accounts and easily provision Passpoint credentials at the point of access, allowing for seamless ad-hoc sign-up. Users could even choose their preferred service provider if multiple options were available. Passpoint R2 required a separate SSID for Online Sign-Up, which could be either an open SSID or an OSEN (OSU Server-only Authenticated L2 Encryption Network).

Release 3 (R3)

Passpoint Release 3 (R3), introduced in 2019, is supported by Android 12 and higher, while iPhone remains on R1. Passpoint R3 introduces several new ANQP protocol elements and enhances operator and end-user interaction. While earlier versions focused primarily on automatic connection and user onboarding, Passpoint R3 aims to improve captive portal functions through enhanced ANQP messaging.

For the first time, Passpoint allows operators to provide B2B customers with tools to engage visitors through a Venue URL. This feature displays information about the Wi-Fi service while also offering local promotions and deals. Additionally, R3 includes functionality for end-users to approve the Wi-Fi service’s terms, conditions, and charges.

However, we believe Passpoint R3 may have overextended its focus on user engagement features. Deploying these features via ANQP locally at access points complicates central management, particularly in multi-vendor deployments where support for different Passpoint versions varies. Given the challenges in management and the lack of widespread device support, there is a risk that R3 may never be widely adopted in carrier Wi-Fi networks.

Security in R3 has been further enhanced, with support for WPA3-Enterprise, compared to the WPA2-Enterprise support in R2 and R1. Additionally, R3 allows the use of the same SSID for both the Wi-Fi service (WPA2/WPA3) and the online sign-up (OSEN) functionality if the OSU feature from R2 were to be reintroduced.

Strategies for Deploying Passpoint in the Real World

The Passpoint certification is a moving target, and things may have changed by the time you read this. But, as of October 2024, iPhones does not support Passpoint release (R3). Android from version 12 and above support R3, but Android OEM vendors usually customize the Android platform to match their product requirements. So, just because it works with one vendor doesn’t mean it works with another.

The Passpoint certification from Wi-Fi Alliance only certifies the radio protocols. In practice, new releases from R2 and above, which include more complex service-related features, cannot be guaranteed to work end-to-end in a Wi-Fi service. We have experienced this through the testing conducted by the Wireless Broadband Alliance (WBA).

Conversely, it is probably true that devices with R3 support that has not been Passpoint certified also exist, just as R1 is supported in iPhones without official certification. But as a service provider, you cannot rely on so many unknown parameters. On a more positive note, it is generally true that most smartphones, tablets, and laptops now support at least Passpoint R1. Therefore, operators should create and deploy Wi-Fi services based on R1, possibly with an extension for selective use of R3.

One thing is certain: Operators who wait for new standards to be fully deployed and for mobile device manufacturers to adopt them risk waiting for a very long time. It is not only the complexity of the technology that decides whether a handset manufacturer develops support for standards like Passpoint R2/R3 or not. Thus, the wait could go on forever. Fortunately, there is no reason to delay the introduction of carrier-grade Wi-Fi services.

In our upcoming blog post, A Pragmatic Approach to Passpoint, we will discuss how Passpoint R1, together with the new Captive Portal API, may well be the interim solution that, in the end, becomes the permanent pragmatic solution for Passpoint-enabled networks.