PSKs? MAC Auth? Not Good Enough for Wi-Fi Security
Share This
Maybe you trust your Wi-Fi is secure enough because you are already security conscious. You’ve read the news. You’ve instituted mandatory security training. You’ve adopted multiple processes and tools to secure your school, including anti-malware software and extensive anti-phishing measures. That’s all very important.
However, the security of your network and the data it leads to depends on knowing how and by whom your network is accessed—and barring those who shouldn’t be on it. Some widely adopted ways of attempting this aren’t nearly good enough.
Wi-Fi access security could be the gaping hole in your network security.
PSKs Threaten Your Wi-Fi Security
If you use or allow shared Wi-Fi passwords (also known as pre-shared keys, or PSKs) and rotate those passwords every quarter or semester, your Wi-Fi access security is weak. Even if your shared password is complex, it’s still public. It can be passed on to anyone.
A shared Wi-Fi password can also be kept by people who no longer should have access to your network—including those who leave with grudges. In 2022, Beyond Identity found that the threat posed by former employees had grown 83%. There’s a good reason: It’s too easy for people who leave an organization to retain access to shared Wi-Fi passwords.
Compromised, weak, or stolen passwords have been the number one means by which criminals can breach networks—more than 80%, according to Beyond Identity. Shared Wi-Fi passwords put your network at risk.
Authenticating with MAC Addresses is Just as Bad, or Worse.
Using MAC addresses for authentication might seem better than using shared passwords because MAC-based addresses are unique to each device. But in some ways, MAC addresses are even worse.
U.S. Cybersecurity, a service that helps companies with all aspects of their network security, says that the number one mistake that organizations make regarding MAC addresses is to rely on them for authentication. With a MAC-address-based scheme of authenticating to your network, each MAC address is sent in plain text across the network, making your network easy to breach.
With the MAC address in plain text, it is a simple matter for a hacker to capture it. Once they have a device’s MAC address, they can use an easily available tool like MAC Changer to change the MAC address on their own device to match that of the device trusted by your network. Disguised as an authorized user, the criminal engaged in this MAC spoofing infiltrates your network and can gain access to more credentials and to the servers that house your institution’s most sensitive data.
MAC address-based authentication doesn’t keep your Wi-Fi secure.
With Either Method, You are at Risk.
Wi-Fi authentication with PSKs and authentication with MAC addresses both have major flaws. Neither authentication method lets you associate every device with a user or assess a device’s security posture.
If your organization uses PSKs or MAC addresses to authenticate its Wi-Fi network, cybercriminals can attack it. Cyberattacks affect every part of the community connected to a business or school. A breach in a school network affects everyone involved—students, teachers, administrators, staff, and parents.
The cost of a cyberattack is huge. It is likely to cost your organization millions of dollars and undermine the confidence and trust of the entire community that interacts with it.
What Should I Do?
You should stop using shared Wi-Fi passwords or MAC addresses as your authentication method.
At a minimum, you need secure, unique Wi-Fi usernames and passwords for every individual user who uses your network. Those credentials should be securely stored within your identity management system, such as Microsoft Azure AD (Entra ID). This eliminates shared Wi-Fi credentials and plain-text credentials.
An even more secure way to safeguard a network is a password-less authentication approach—a zero trust approach. You leverage PKI with the EAP-TLS protocol to issue certificates for each individual device and user. Nothing is shared, and no passwords are needed. Validation is quick, easy, and secure.
RADIUS is the Foundation
The RADIUS protocol is an industry standard for access control. It provides users and devices secure, authenticated access to Wi-Fi and connected networks. IT staff can assign different access privileges for different roles. Individuals only have access to the information that they are supposed to have access to.
RADIUS is considered an AAA protocol because it provides authentication, authorization, and accounting for Wi-Fi access. AAA means that credentials are authenticated and that only valid users are authorized to use the network. That keeps network access secure. AAA also means accurate accounting of when each user and device access the network and leaves it.
You need clear accounting not only for IT staff but also for compliance with guidelines established by regulatory agencies to which businesses and educational institutions are accountable. An AAA protocol addresses all three aspects of securing and keeping track of Wi-Fi access.
Foxpass Cloud RADIUS: A Solution That’s Both Simple and Secure.
Splashtop—named Security Vendor of the Year in the 2023 SDC IT Awards—has a proven, clear, simple, and cost-effective way to secure Wi-Fi access: Foxpass Cloud RADIUS. Foxpass Cloud RADIUS by Splashtop is a RADIUS solution that can secure access to your Wi-Fi without creating a burden for IT, your budget, or your users.
Foxpass Cloud RADIUS plugs right into your mobile device management infrastructure such as Intune or Jamf for efficient certificate setup. Furthermore, Foxpass Cloud RADIUS syncs easily with Google, Okta, and Microsoft Entra ID to allow easy onboarding of users and automatic offboarding when users leave your organization.
Foxpass Cloud RADIUS is also fully compatible as a complementary solution to Microsoft Cloud PKI, which is tailored explicitly for securing access to Wi-Fi networks and VPNs and is available as part of the Microsoft Intune Suite.
Foxpass Cloud RADIUS is both scalable and fault-tolerant, with servers spanning multiple data centers and with no single point of failure. You receive clear and detailed logs of activity that give you the accounting you need to manage your network access control and comply with regulatory standards. And because Foxpass Cloud RADIUS supports multiple SSIDs, you can keep your different networks, such as those for students and school staff, distinct and secure.
Foxpass Cloud RADIUS secures Wi-Fi in a way that’s easy on all your users and on IT, decreasing rather than increasing IT’s load. With Foxpass Cloud RADIUS, you can protect your data and your people from mayhem in a way that’s simple and straightforward.
Splashtop is a leader in remote solutions that simplify work and learning from anywhere in the world. Splashtop acquired Foxpass in 2023 to add their successful and easy-to-use RADIUS solution, which thousands of users have already depended on, to the education and business solutions that Splashtop offers.
Learn more about Foxpass Cloud RADIUS, or start a free trial now!
