What Is Hotspot 2.0 (Passpoint)? Seamless WiFi Roaming Explained
Key Takeaways: Hotspot 2.0, marketed as Passpoint by the Wi-Fi Alliance, is a WiFi standard (based on IEEE 802.11u) that enables devices to automatically discover, authenticate, and connect to WiFi networks without user interaction — similar to how cellular devices roam between cell towers. Devices authenticate using pre-provisioned credentials (carrier SIM, certificates, or stored profiles), bypassing the captive portal entirely. Hotspot 2.0 solves the connectivity problem (fast, secure, automatic WiFi) but eliminates the data capture opportunity that captive portals provide. For WiFi marketing resellers, Passpoint is both a technology to understand and a coexistence challenge to plan for.
Hotspot 2.0 makes WiFi work like cellular. You walk into a venue, and your phone automatically connects to WiFi — no portal, no login, no button to tap. The device negotiates authentication in the background using credentials already stored on it (typically from your mobile carrier's SIM).
The technology was first specified in 2012 by the Wi-Fi Alliance (as Passpoint) and the Wireless Broadband Alliance. It builds on IEEE 802.11u, which adds network advertisement and discovery capabilities to WiFi. The goal: eliminate the friction of connecting to public WiFi networks.
It sounds like it should have killed captive portals a decade ago. It didn't. Here's why, and what it means for resellers building WiFi marketing businesses in 2026.
How Hotspot 2.0 works
The connection process
Traditional WiFi: you pick an SSID → see a portal → log in → get access.
Hotspot 2.0: your device discovers the network → checks if credentials match → authenticates automatically → you're online. You may never know it happened.
The technical flow:
- •Network discovery — the AP broadcasts 802.11u information elements: network type, roaming consortium, venue info, and access network parameters
- •ANQP query — the device sends an Access Network Query Protocol request, asking the AP about its authentication capabilities, domain names, and roaming partnerships
- •Credential matching — the device checks if any of its stored credentials (SIM, certificates, username/password profiles) match the network's supported authentication methods
- •Authentication — if credentials match, the device authenticates via EAP (Extensible Authentication Protocol) over 802.1X — the same WPA2/WPA3-Enterprise authentication used in corporate networks
- •Connection — the device connects with WPA2-Enterprise or WPA3 encryption. All traffic is encrypted from device to AP. No captive portal is presented.
What makes it different from saved WiFi networks
Your phone already auto-connects to saved networks (your home WiFi, your office). Hotspot 2.0 goes further:
- •Discovers networks you've never connected to before — if they belong to your carrier's roaming consortium, your device connects automatically
- •Uses SIM-based authentication — no password stored on the device, no user interaction
- •Encrypts everything — WPA2/WPA3-Enterprise, unlike open captive portal networks which have no encryption pre-authentication
- •Roams across providers — your AT&T phone can auto-connect to a Boingo hotspot because AT&T and Boingo have a roaming agreement
Authentication methods
| Method | Credential Source | Use Case |
|---|---|---|
| EAP-SIM | SIM card (mobile carrier) | Carrier WiFi offload |
| EAP-AKA | SIM card (4G/5G) | Carrier WiFi offload |
| EAP-TLS | Client certificate | Enterprise deployments |
| EAP-TTLS | Username/password | ISP subscribers, university WiFi |
EAP-SIM and EAP-AKA are the most common in public deployments. Your carrier provisions the authentication on your SIM — you don't configure anything.
Where Hotspot 2.0 is deployed
Carrier WiFi offload
The primary use case. Mobile carriers deploy Passpoint to offload data traffic from congested cellular networks to WiFi. AT&T, T-Mobile, and Verizon in the US; Vodafone, Orange, and Telefonica in Europe all have Passpoint deployments.
When your phone auto-connects to "attwifi" or "T-Mobile_WiFi" at an airport, that's Passpoint in action.
Airports and transit
Major airports (80% of top-100 global airports by 2025) support Passpoint for carrier subscribers. The connectivity experience is seamless — traveler walks off the plane and is on WiFi before reaching the gate.
Hotels (Passpoint + OpenRoaming)
OpenRoaming (an initiative by the Wireless Broadband Alliance) extends Passpoint with a federated identity layer. Hotel chains like Marriott and Hilton participate — guests with compatible carriers or identity providers connect automatically across all properties.
Stadium and venue WiFi
Large venues with 10,000+ APs use Passpoint to handle mass connectivity events. It reduces portal congestion (imagine 50,000 fans all trying to load a captive portal simultaneously) and improves the user experience.
The elephant in the room: what Passpoint means for WiFi marketing
The problem
Hotspot 2.0 bypasses the captive portal. No portal means no data capture. No data capture means no emails, no phone numbers, no social profiles, no marketing automation, no retargeting audiences.
If every device auto-connected via Passpoint, WiFi marketing as a service would cease to exist.
The reality (why it hasn't killed WiFi marketing)
Passpoint adoption has been slow, and for WiFi marketing resellers, the threat is manageable:
1. Passpoint requires carrier participation. Only devices with carrier-provisioned Passpoint profiles auto-connect. As of 2025, an estimated 25-35% of smartphones have active Passpoint profiles (Wireless Broadband Alliance, 2025). The rest still need traditional captive portal authentication.
2. Most venues don't deploy Passpoint. Passpoint requires WPA2/WPA3-Enterprise AP configuration, RADIUS AAA infrastructure, and roaming agreements with identity providers. Small and mid-size venues (restaurants, retail, cafes) — the core WiFi marketing market — don't have this infrastructure. They use open networks with captive portals.
3. Venue operators want data. Even venues that could deploy Passpoint often choose captive portals because they want guest data. Auto-connecting a guest provides connectivity but zero marketing value.
4. The dual-SSID solution. Venues can run both: a Passpoint SSID for seamless carrier offload AND a captive portal SSID for guest marketing. Guests whose devices don't have Passpoint credentials fall through to the portal. Guests who auto-connect via Passpoint can still be targeted through presence analytics.
Market segmentation
| Venue Type | Passpoint Likely? | Captive Portal Likely? | Coexistence? |
|---|---|---|---|
| Major airports | Yes | Yes | Both — different SSIDs |
| Hotels (large chains) | Growing | Yes | Both — portal for non-carrier guests |
| Shopping malls | Sometimes | Yes | Portal dominates |
| Restaurants | No | Yes | Portal only |
| Retail stores | No | Yes | Portal only |
| Events/conferences | Sometimes | Yes | Both for large events |
| Coffee shops | No | Yes | Portal only |
For the vast majority of venues that resellers serve (restaurants, retail, cafes, SMB hospitality), Passpoint is irrelevant. The venues are too small, the infrastructure requirements too heavy, and the venue operators too focused on data capture.
Coexistence strategies for resellers
Dual-SSID deployment
Deploy two SSIDs on the same hardware:
- •"VenueName-WiFi" — open network with captive portal for guest marketing
- •"VenueName-Passpoint" — Passpoint-enabled SSID for carrier offload (enterprise venues only)
Guests who auto-connect via Passpoint bypass the portal but are still detectable via presence analytics. Guests who connect to the open SSID go through the portal and provide data.
Post-Passpoint engagement
For venues with Passpoint, capture data through alternative touchpoints:
- •Post-connection QR codes — table tents or signage: "Scan for exclusive offers"
- •In-app engagement — if the venue has an app, use push notifications after Passpoint connection
- •NFC tags — tap-to-engage physical touchpoints
- •WiFi heatmap data — even without portal data, Passpoint users generate presence analytics
Positioning against Passpoint
When selling to venue operators who ask about Passpoint: "Passpoint is great for connectivity. It gets people online fast. But it captures zero guest data — no emails, no phone numbers, no visit history. If all you need is connectivity, Passpoint works. If you need a marketing database, you need a captive portal."
Passpoint technical requirements
For resellers who do need to deploy Passpoint (enterprise clients, airports, large hospitality groups):
Hardware
- •APs must support 802.11u and Hotspot 2.0 Release 2+ (Passpoint R2/R3)
- •Compatible hardware: Cisco Meraki (MR series), Aruba (AP-5xx+), Ruckus (R-series), Juniper Mist, Extreme Networks
- •Most SMB APs (UniFi, TP-Link, Datto) do NOT support Passpoint
Infrastructure
- •WPA2-Enterprise or WPA3 RADIUS authentication
- •RADIUS server with EAP-SIM/AKA support (for carrier offload) or EAP-TTLS/TLS (for enterprise)
- •Roaming agreements with carriers or OpenRoaming federation membership
- •ANQP server configuration (venue info, domain names, NAI realm list)
Cost
Passpoint adds infrastructure complexity but no per-user cost. The investment is in RADIUS infrastructure and roaming agreement setup — typically $5,000-$50,000 for initial deployment, depending on scale.
The future of Passpoint and WiFi marketing
OpenRoaming expansion
The Wireless Broadband Alliance's OpenRoaming initiative is reducing the barrier to Passpoint deployment by creating a global roaming federation. Instead of bilateral agreements between carriers and venues, OpenRoaming provides a central identity framework.
Adoption is growing but still limited. WBA reported 3 million OpenRoaming-capable hotspots globally by end of 2025 — significant, but a fraction of the billions of WiFi access points worldwide.
WiFi 7 and Passpoint
WiFi 7 (802.11be) is Passpoint-ready by default. As WiFi 7 APs become standard in enterprise deployments (2026-2028), Passpoint capability will be ubiquitous in hardware — but that doesn't mean venues will activate it.
Prediction: coexistence, not replacement
Passpoint will dominate carrier WiFi offload at airports, transit, and large public venues. Captive portals will dominate guest marketing at restaurants, retail, hospitality, and SMB venues. The two technologies serve different purposes and will coexist for the foreseeable future.
For resellers: the captive portal market isn't going anywhere. But understanding Passpoint makes you credible with enterprise clients and positions you for the hybrid deployments where both technologies coexist.
Frequently asked questions
Does my phone support Passpoint?
Most modern smartphones (iOS 14+, Android 11+) support Passpoint. But support and activation are different — your phone needs a carrier-provisioned Passpoint profile to auto-connect. Check Settings > WiFi > Passpoint on Android, or Settings > WiFi on iOS (Passpoint networks appear automatically if your carrier supports them).
Can I opt out of Passpoint auto-connection?
Yes. On iOS: Settings > WiFi > toggle off "Auto-Join Hotspot." On Android: Settings > Network > WiFi > Advanced > Passpoint > toggle off. Users who disable Passpoint will fall through to captive portal authentication.
Does Passpoint replace VPN?
No. Passpoint encrypts the WiFi connection (device to AP) using WPA2/WPA3-Enterprise. It doesn't encrypt traffic beyond the AP. A VPN encrypts traffic end-to-end. They serve different purposes and can run simultaneously.
Is Passpoint more secure than captive portals?
Yes. Passpoint uses WPA2/WPA3-Enterprise encryption from the moment of connection. Traditional captive portals operate on open (unencrypted) networks until authentication — meaning pre-auth traffic is unencrypted. This is Passpoint's strongest argument for security-sensitive deployments.
Will Passpoint make WiFi marketing obsolete?
Not in the foreseeable future. Passpoint serves connectivity. WiFi marketing serves data capture. Most venues want both. The market for captive portal-based WiFi marketing continues to grow (18% CAGR through 2028) because venues prioritize guest data over seamless connectivity.
Bottom line
Hotspot 2.0 (Passpoint) is the seamless connectivity standard that makes WiFi work like cellular — automatic, encrypted, zero-friction. It's deployed at airports, large hotels, and carrier offload hotspots.
For WiFi marketing resellers, Passpoint is a complementary technology, not a competitor. It serves a different need (connectivity) than captive portals serve (data capture). The venues that deploy Passpoint are enterprise-scale. The venues that need WiFi marketing — restaurants, retail, SMB hospitality — use captive portals and will continue to for years.
Understand Passpoint to speak credibly with technical clients. Deploy it where enterprise clients require it. But build your business on captive portals, marketing automation, and guest analytics — that's where the recurring revenue lives.