What’s Wrong with MAC Authentication and Pre-shared Keys (PSKs) for BYOD and Guest Wi-Fi Access, Part II: User and IT Experience

Cloudpath digital certificates and dynamic PSKs solve both the security and usability problems associated with network onboarding and authentication.

You probably remember our previous blog covering the security shortcomings of MAC authentication and conventional pre-shared keys. In conversations with organizations across a variety of industries, we consistently hear that those without a secure onboarding system in place experience other problems as well. They see serious usability issues and helpdesk headaches with these default methods for network authentication.

Users Experience Frustration Getting Devices Online

The default methods of getting BYOD and guest users online involve either a common pre-shared key or entering a password into a captive portal for MAC authentication. If the password is too simple (password123) that’s obviously a serious security hole. But if you choose a stronger password, users may have a hard time typing it in correctly, especially on smaller devices, when the password is long and when it contains special characters, numbers, capital letters and so on (which is a good practice when it comes to passwords). When the password changes, users may not be aware and once again incur frustration trying to get online. You can’t exactly email them the password to inform them of the new password. You can’t put it on a post-it note on the wall (people do that, but it’s definitely not a network security best practice). Also, for security reasons, no matter how strong the password, you don’t want to just leave it the same indefinitely. If you did, someone could use it to access the network months after they had any legitimate reason for connecting. For example, an employee who has left the company or a visitor who completed their business with the organization months ago shouldn’t be connecting to the Wi-Fi. So when you do change the PSK or the password for MAC authentication, it can have ripple effects when users can’t get online because they don’t have the new password. IT teams typically set MAC authentications to expire daily, and if a guest user returns the next day, they need to enter the password again to re-authenticate. That means they get a new opportunity to type in the password incorrectly. Or maybe they have lost the slip of paper that includes the Wi-Fi password by the time the system asks them to enter it again. Or they have lost it when they bring a new device that they need to connect. Many such scenarios result in a poor user experience—you have probably lived a few of them yourself. In certain circumstances with default methods, the network may prompt users to re-enter credentials when they lose connectivity even for a moment. That presents more chances to get the password wrong. Some environments require users to connect to a variety of SSIDs at different locations. In a university or college, the library may have one SSID, while the student union, dorms and sports arena have their own—each with its own PSK. Multiply this by the several devices that users (students, faculty, staff and visitors) seek to connect, and it’s easy to see why user frustration associated with network access multiplies.

IT Teams Experience Headaches from Numerous Helpdesk Tickets Related to Wi-Fi Network Access

The flip side of poor user experience is headaches for IT teams because they are on the receiving end of the resulting helpdesk tickets. Some organizations without a method for enabling user self-service have reported multiple IT headcount allocated to dealing with network access issues. The costs add up quickly in this situation. Equally bad, when IT spends a lot of time-solving Wi-Fi access issues, they are not able to focus on more strategic projects. Most IT teams we talk to want to help drive business success and/or fulfillment of the organization’s mission (for example in healthcare, government, or education). But they can easily fall short of that aspiration when they are buried by routine helpdesk tickets related to network access. Security problems can also create extra work for IT—not just a little, but a lot. For example, malware may spread within an organization if insecure devices connect to the network. An up-front security posture check during network onboarding can help reduce malware infection rates, but the default methods don’t allow for this. Data breaches that result from unsecured Wi-Fi can also suck up a lot of IT time because the source of the breach is not always obvious, and IT must investigate the root causes. Better to avoid security issues in the first place with an appropriate layered security strategy—and a secure onboarding platform is an important piece of this. An ounce of prevention is better than a pound of cure, as the saying goes.

Secure Wi-Fi and Great User Experience—the Best of Both Worlds

IT teams often see usability and security as conflicting goals. A wide open IT environment may make things easy for users, but security suffers. If you lock down your IT environment, it might be more secure, but end users complain. (We’d all be safer if we didn’t connect to the internet, but no one could get any work done that way). One of IT’s jobs is to manage these trade-offs. Secure network access is a unique element of the security taxonomy because you can have the best of both worlds. You can both improve usability and increase security in your computing environment by deploying a software or SaaS platform to streamline onboarding and deliver secure connectivity for BYOD and guest users. Digital certificates and dynamic PSKs solve both the security and usability problems associated with default methods of network onboarding and authentication. If that sounds interesting, now is a great time to check out Ruckus Cloudpath Enrollment System