Mac Address Randomization is an increasing trend among device manufacturers that are quickly becoming the industry standard. While it can help in reducing the risks of data breaches and spying on users’ connections, it does complicate the authentication process and can create issues assigning roles to users. A goal of mac randomization is to prevent the identities of users from being collected when browsing online, such as a banned practice that the social media app TikTok was found using.
Many organizations prioritized anonymity and user security in bids to improve overall network security. Read here how this school district improved their network security by using stronger authentication methods.
Mac randomization can be an excellent tool for organizations looking to improve their cybersecurity, but there should be a backup plan for identifying users to maintain a cohesive network.
Using Mac Address Randomization
To begin, a Media Access Control Address (Mac Address) is a unique string of random digits and letters assigned to a device. Every device is assigned a different mac address when it’s created so it can be easily identified.
Mac randomization flips this concept when connecting to a network. When a user connects to a wireless network, their device will report a random mac address. Each new network will receive a different mac address. This prevents a user from being tracked across different networks by an outside actor and provides anonymity on unknown or public networks.
Additionally, iOS has taken mac randomization a step further by introducing a Mac Address Rotation feature that continually updates the mac address reported to networks every 24 hours.
Where Mac Randomization Can Cause Issues
Of course, when a person connects to a secure network, such as their office, they’re likely not as concerned about anonymity. An employer will want to know whose devices are connecting to the network, and they cannot identify the device based on the mac address. This is especially difficult with mac address rotation, as the user will constantly change their mac address and will need to re log-in each time they disconnect, or every 24 hours.
When a user connects to a network, they supply both their identity (login credentials) and the identity of their device (traditionally mac address). If a person logs in only using their user identity, it creates a huge vulnerability in the network. Any user can use any device to log in with a valid set of credentials. Without device trust, a bad actor could use valid credentials and be able to freely access the network.
This issue of accurate authentication becomes extremely prevalent when working in the cloud. Remote users outside the office network perimeter are much more exposed to threats. There are many security measures that can be provided by employers and best practices that can be upheld by users, but the fact remains that they are at greater risk.
It’s key to an organization’s security that they accurately identify each user and device to ensure they know who is accessing the network. So they must work around mac address randomization.
Dynamic RADIUS and Mac Randomization
Credentials are famously insecure and a poor method of identifying users. They can be easily stolen and reused, or shared among different users within an organization. The result is a network populated with users who can’t be accurately identified.
Many organizations have opted to replace credentials with certificate-based authentication. Certificates are tied to both the user’s identity and the device’s identity, so when a certificate is authenticated, it is certifying the identity of the user and device.
When a certificate shows up in the RADIUS log, it is displayed next to the device’s current IP address. While their IP address may change upon authentication, a certificate will not. Due to its static nature, the certificate will always accurately identify the device and user. Without certificates, a network admin would need information in addition to their IP (such as a mac address) to accurately identify a user.
A device certificate cannot be stolen or transferred from a device, so it is far stronger from a security standpoint compared to credentials. Every device a user has will contain a different certificate, so no two certificates are the same. If an admin needs to revoke access from a device that was lost or stolen, they can easily find that certificate.
As an additional measure, Cloud RADIUS has dynamic authentication capabilities. This allows a user’s permissions to be updated in the directory without revoking the certificate. If a user gains a promotion and now needs access to different resources, an admin can simply update them in the directory and they will gain/lose access in real time.
Organizations don’t need to avoid security benefits like mac randomization simply because they might make things a little more difficult; solutions exist that enable and enhance these security protocols. Certificate-based authentication provides far stronger authentication security while improving the user experience. Check out SecureW2’s pricing page to see if our certificate solutions can enhance your organization.
