Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Cloud EAP-TLS Service for Passwordless Wi-Fi

Your Wi-Fi isn’t secure if you’re using pre-shared keys (PSK) or tying it to credentials. With the growing threat of credential theft, the best way to protect credentials is to limit their use. Our managed PKI and RADIUS services empower organizations to move to passwordless EAP-TLS authentication and provides the #1 rated certificate enrollment solutions to make moving from passwordless seamless.

Cloud EAP-TLS Service for Passwordless Wi-Fi

Improve Security and Efficiency with SecureW2


Saved Per Employee/Year On IT Expenses and Risk Mitigation


Reduction in Support Tickets


Less Cost Than On-Premise Alternatives


Devices Secured

We’ve Helped Many Businesses Like Yours

  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand
  • Brand


Is EAP-TLS the best protocol for Wi-Fi Security?

Extensible Authentication Protocol (EAP) has multiple iterations, but EAP-TLS is the most secure. EAP-TLS offers organizations the benefits of improved security, an easier end-user login experience, and superior performance. Rather than rely on passwords that may be easily stolen over-the-air or recycled across other resources, passwordless EAP-TLS uses certificate-driven security for authentication.

Certificates offer a range of benefits for authentication. Through the use of public-private key cryptography (also known as asymmetric cryptography), EAP-TLS securely encrypts data transmitted over-the-air. Better yet, it’s slightly faster than alternate authentication protocols like PEAP-MSCHAPv2 and doesn’t require users to repeatedly enter passwords just to access the network. Certificate-based EAP authentication streamlines the process by using a digital certificate in place of a password.

What do I need to deploy EAP-TLS?

To successfully deploy EAP-TLS, your organization will need a Public Key Infrastructure (PKI) and ideally an authentication server such as a RADIUS server. The PKI enables organizations to manage the certificate lifecycle, and an authentication server actively authenticates, authorizes, and accounts for the devices equipped with certificates.

Does EAP-TLS require a PKI?

Yes. To issue and manage digital certificates, organizations require a Public Key Infrastructure (PKI). This can deter some enterprises from implementing certificates, as PKIs have historically been difficult to build and manage.

However, that no longer has to be the case. A managed PKI (MPKI) like our JoinNow Connector PKI takes all the hassle out of deployment and maintenance. Our knowledgeable team has helped many enterprises all over the world deploy certificate-based authentication in just hours.

Is EAP-TLS passwordless security?

Yes. EAP-TLS is an authentication protocol that uses digital certificates to authenticate users and devices accessing a wireless network. The EAP authentication method starts when a user requests access. Their device shares a certificate with an authentication server such as a RADIUS server, which either grants or denies access.

With EAP-TLS, the entire network access process is passwordless. The user is connected quickly without any need to enter credentials each time.

What is the Difference between EAP-TLS and PEAP-MSCHAPv2?

In a nutshell, PEAP-MSCHAPv2 is a credential-based authentication protocol. It uses encryption to hide data sent over-the-air, but the problem is its hashing algorithm, MD4, has been compromised for years. Industry experts such as Microsoft have been recommending that enterprises stop using PEAP-MSCHAPv2.

EAP-TLS, on the other hand, uses asymmetric cryptography to generate certificates for mutual authentication. Rather than sending passwords over-the-air, users and devices are verified with the use of digital certificates. Not only does this make EAP-TLS the more secure option of the EAP methods, but it takes fewer steps to complete the mutual authentication process, resulting in a faster authentication speed.

Can an end user configure EAP-TLS?

End-users should not be left to configure EAP-TLS authentication on their own. There are many settings that can be overlooked, such as server certificate authentication, and misconfiguring a single setting can prevent a user from connecting to your network. At worst, misconfiguration can lead to an end-user’s compromised device connecting to your network, exposing other devices to the same risk of compromise.

The best way to configure all endpoints to use the EAP-TLS authentication protocol is to use onboarding technology. SecureW2 is an EAP-TLS SaaS provider that has powerful onboarding technology for both managed devices and unmanaged devices/BYODs. For managed devices, we offer gateway APIs that use the Simple Certificate Enrollment Protocol (SCEP) to automatically enroll endpoints managed by MDMs such as Intune and Jamf. We offer a convenient self-service onboarding application for BYODs that empowers end-users to configure EAP-TLS on their devices and enroll for a client certificate in seconds.

Why can't we just build our own PKI instead of using a managed PKI?

Many organizations see the benefits of the Extensible Authentication Protocol and going passwordless but think that they can reduce the cost of doing so by building their own PKI infrastructure. Unfortunately, this often ends up being a costlier venture in terms of finances and time spent. Building a private PKI requires expertise, space for the servers, and regular maintenance. Additionally, certificate lifecycle management - from issuance to renewal to revocation - is time-consuming.

PKI as a service solutions like our JoinNow Connector PKI can save you the resources you would otherwise spend on building and maintaining your own. What’s more, since our PKI infrastructure is cloud-based, your administrators can access it from anywhere without having to replicate it at every office location.

How does your PKI handle certificate lifecycle management phases, such as revocation and renewal?

We wouldn’t be able to call it PKI as a Service if we didn’t provide you everything you needed to manage your certificates. For endpoint distribution, we have our automatic gateway APIs for managed devices and our self-service onboarding technology for unmanaged devices/BYODs.

When it comes to revocation, our cloud-based PKI can revoke certificates in a few different ways, including manually and through automatic revocation with some MDMs such as Jamf and Intune. Our PKI as a service also includes customizable policies you can create, such as non-utilization, which means certificates that aren’t used for a definable period of time (such as 60 days) are automatically revoked.

What is the passwordless authentication experience like for the end user?

The user experience differs based on whether they are using managed or unmanaged devices/BYODs. For managed devices, the end user will never notice the certificate enrollment process - our PKI as a service includes gateway APIs that will automatically enroll them for a certificate. For BYODs, you can utilize our self-service onboarding technology, which allows end users to configure their devices for private certificates in a matter of minutes.
After enrollment, certificate-based authentication is mostly the same for either type of end-user. They no longer need to remember a plethora of passwords, reset those passwords regularly, or adhere to complex password requirements.

How does your PKI integrate with our infrastructure?

Our PKI isn’t just designed to provide secure EAP-TLS authentication; it’s designed to seamlessly integrate with your existing infrastructure so that your organization doesn’t need to make forklift upgrades to go passwordless. We can integrate with your Identity Provider and your MDM to encode attributes from your source of truth onto certificate templates for secure EAP server authentication.

For some MDMs, such as Jamf and Intune, our PKI can be configured to automatically revoke certificates from devices and users your administrators move into specific smart and static groups. This ensures that only the most current access policies are applied whenever someone authenticates to your network.