Seamless and Secure

Imagine if Wi-Fi connectivity was as secure, simple, and seamless as cellular. Just switch on your device, and you are connected. This is the vision behind Hotspot 2.0 (HS 2.0), nowadays mostly referred to by Wi-Fi Alliance’s equipment certification name – Passpoint®.

It enables compatible devices to automatically and silently discover Wi-Fi access points that have roaming agreements with the user’s home network. The device will then automatically and securely connect to the secure Wi-Fi network.

The roaming use case is where Passpoint shines. The WBA OpenRoaming initiative has quickly transformed Passpoint from a promising technology to potential mass adoption. The fact that Passpoint profiles for OpenRoaming are now enabled in many handsets from the factory will vouch for rapid development. OpenRoaming has the potential to make Wi-Fi roaming just as seamless for the user as roaming with cellular phones.

This opens up new business opportunities for Carrier Wi-Fi when a critical mass of Hotspot 2.0-enabled Wi-Fi access points, roaming agreements, and devices have been rolled out.


A Passpoint certified Hotspot 2.0 network is defined by supporting the following functions:

  • The network (Wi-Fi access point) should broadcast its capabilities and available services using 802.11u and a protocol called ANQP.
  • The network must use 802.1x-based authentication and WPA2 or WPA3 for over-the-air encryption.
  • Support for EAP-SIM/AKA (SIM identity-based) or EAP-TLS/TTLS (certificate-based methods usually for non-SIM devices) authentication.
  • Optional Wi-Fi roaming with home operator billing.

A critical component is the capability of Passpoint services to deliver Wi-Fi offload services based on credentials stored in the subscriber’s SIM. This means mobile operators can integrate Carrier Wi-Fi services into their total service offering.

Passpoint is designed to create a carrier-grade Wi-Fi service with a familiar and seamless user experience like that of cellular networks. However, mobile operators can comfortably apply EAP-SIM/AKA authentication and mobile core integration outside the complete Hotspot 2.0/Passpoint specification. Aptilo Networks was already providing such solutions long before the release of the first Passpoint-capable devices. This also means that EAP-based authentication (SIM/AKA and TLS/TTLS) is not equivalent to Passpoint as such, which is a common misunderstanding.


Moowifi’s Role in a Passpoint-Enabled Wi-Fi Service

The Moowifi SMP (software) or SMP-S (service on AWS) includes EAP authentication support and all the necessary back-end service management functions for a Passpoint-certified Hotspot 2.0 Wi-Fi network.

In our solution, SIM-based devices use SIM authentication (EAP-SIM/AKA) as the preferred EAP method. Operators can typically perform mass-provisioning of the necessary Passpoint profiles through central device management systems.

This provisioning is more challenging for non-SIM devices using EAP-TLS/TTLS. There is also a need to provision ad-hoc users at the Hotspot 2.0 service. The Passpoint Release 2 (R2) with its online signup server (OSU) was created for this purpose. However, due to the limited device support for the latest Passpoint releases (R2, R3), some of our customers have developed a simple tablet/smartphone app that automatically provisions EAP-TTLS certificates in non-SIM devices.

For those that don’t want to deploy and maintain apps, we propose a pragmatic approach to Passpoint based on release 1 and the Internet Engineering Task Force (IETF) Captive Portal API (RFC8908 and RFC8910).