WBA: OpenRoaming and Passpoint Address Guest-Public Wi‑Fi Security Risks

The Wireless Broadband Alliance (WBA) explains how standards-based solutions — WBA OpenRoaming^TM and Passpoint® — mitigate legacy Guest-Public Wi‑Fi risks. By enforcing mutual authentication, enterprise-grade encryption, identity privacy and secure AAA transport, these standards seek to deliver a cellular-like secure roaming experience.

Background

Recent industry reporting, including the Google Android "Behind the Screens" report, highlighted the security risks of traditional open guest Wi‑Fi: identity theft, traffic interception, phishing, spoofed networks and other attack vectors. The WBA says the industry has been working with operators, identity providers, device makers and technology leaders to build a new generation of Guest-Public Wi‑Fi that addresses these risks.

Strong mutual authentication

WBA OpenRoaming^TM and Passpoint® require mutual authentication using industry-proven EAP methods such as EAP-TLS, EAP-TTLS, EAP-SIM and EAP-AKA. This mutual authentication prevents devices from associating with rogue access points presenting spoofed SSIDs and reduces man-in-the-middle attack exposure.

Enterprise-grade encryption

Traffic on OpenRoaming and Passpoint-enabled networks is protected with WPA2-Enterprise or WPA3-Enterprise, using AES-based encryption and protected management frames. According to WBA, this raises the security posture of public Wi‑Fi toward that of mobile networks and mitigates packet sniffing and traffic manipulation threats.

User identity privacy by design

The WBA highlights privacy features in these standards to avoid exposing user identifiers or credentials over the air. Mechanisms include unique and anonymous identities, pseudonym identities for SIM-based methods and an optional opaque Chargeable User Identity to protect personal information. These measures are intended to prevent broadcast of credentials, device identifiers or IMSIs.

Secure credential storage on devices

Credentials for OpenRoaming and Passpoint are expected to be stored securely on devices, for example in the Android Keystore, iOS Keychain or secure hardware modules/SIMs. This prevents credential extraction and inappropriate reuse, keeping credentials personal to the device and user.

End-to-end secure transport

To protect authentication and accounting beyond the Wi‑Fi link layer, WBA OpenRoaming mandates secure AAA transport using RadSec (RADIUS over TLS) or VPN. This encrypts exchanges between network elements and reduces the risk of interception in the backhaul and carrier network.

Layer-2 traffic isolation

OpenRoaming and Passpoint deployments enforce client isolation and Layer-2 filtering techniques such as Proxy-ARP and the disabling of broadcast/multicast where required. These measures limit local-attacker lateral movement and device-to-device attacks on public networks.

What this means for integrators and providers

System integrators, solution providers and operators should consider these standards when designing or upgrading public Wi‑Fi services. Key implementation points include integration with identity providers and AAA infrastructure, ensuring device onboarding supports secure credential storage, and enabling RadSec or equivalent secure transport between network elements.

Conclusion

While legacy Guest-Public Wi‑Fi carries well-documented risks, WBA OpenRoaming^TM and Passpoint® present a standards-based alternative intended to provide secure automatic onboarding, protected identities, encrypted connections and verified networks. The WBA positions these technologies as the foundation for a trustworthy, global public Wi‑Fi roaming experience.

Further details are available on the WBA website. Additional information on OpenRoaming: https://www.openroaming.org.