The move, which appears to be the first use of advanced 802.1x-based security by a national mobile carrier in U.S. hot spots, leverages the existing 802.1x infrastructure used to authenticate GSM (Global System for Mobile Communications)/GPRS (General Packet Radio Service) cell-phone users.
"CIOs across the country have been asking for enhanced security, and were the first U.S. wireless carrier to deliver it," said Joe Sims, vice president and general manager of T-Mobile HotSpot.
"The rollout of 802.1x across our network will enable IT managers and business professionals to use T-Mobile HotSpot as a more secure virtual extension of their corporate networks and offices," Sims said.
"One of the final barriers to significant corporate adoption of Wi-Fi was removed for professionals and companies looking to enhance their mobility strategy."
The announcement is also likely to come as good news to mobile and Wi-Fi industries, which have struggled with questions of how to support 802.1x-based security schemes in hot spots that lack the IT staffs to manage them.
802.1x provides the authentication and encryption framework used in the advanced Wi-Fi security specifications 802.11i and WPA (Wi-Fi Protected Access), which were developed to address vulnerabilities identified in WEP (Wired Equivalent Protocol), the original security mechanism for 802.11 WLANs.
WPA was adopted by the Wi-Fi Alliance last year. 802.11i with AES (Advanced Encryption Standard) security was ratified by the IEEE in July. Even before the adoption of those standards, 802.1x was used in "dynamic WEP" (Wired Equivalent Privacy) to bring additional layers of security to WLANs.
"Our advanced security is really our implementation of WPA," said Mark Bolger, director of brand marketing for T-Mobile HotSpot.
Strong security in WPA and 802.11i—also known as WPA2—speeded the adoption of Wi-Fi networks in the enterprise, where the market has traditionally lagged behind the home due to security concerns.
Enterprises remained wary of the use of hot spots, which were largely unsecured because of the difficulty of managing the IT infrastructure in coffee shops, restaurants and other public venues that lack on-site IT staffs.
802.1x networks require an authentication server (usually RADIUS) or database to store user credentials, as well as the installation on client devices of a "supplicant"—a small software program that establishes communications with the server using an EAP (Extensible Authentication Protocol) type.
Paul Lopez, senior manager of advanced technologies at T-Mobile, said the company is addressing that problem in an upgrade to its T-Mobile Connection Manager software.
The software includes the client supplicant and can be downloaded for free from the T-Mobile Web site. Current T-Mobile Wi-Fi customers will be prompted to upgrade when they connect to the network. The software is also available on CD at many local T-Mobile stores and hot spots.
EAP protocols, already widely used in the mobile environment, are the mechanism in the SIM (Simple Identity Management) cards used to handle authentication and accounting across GSM/GPRS mobile-phone networks. T-Mobile plans to leverage the 802.1x infrastructure already in place for its wide area GSM/GPRS network to extend 802.1x authentication to the hot-spots.
Bolger of T-Mobile HotSpot said he expects that this ability to centrally secure and monitor performance at each hot-spot location will be "a tipping point for corporate adoptions" of the companys phone/Wi-Fi services.
Kevin Walsh, director of product management at Funk Software, a developer of remote authentication technologies that works with a number of GSM/GPRS carriers, said GPRS operators have been looking at introducing 802.1x authentication to hot spots for some time.
The hurdle has always been "the burden of supporting the end-user machine," Walsh said. "Im excited about T-Mobiles interest in this because now we have a world-class operator saying, This is the best way to do this."