Wired and wireless networks are now commonly used to provide connectivity and network services, such as connectivity to the Internet, for example, to connected devices. Wireless networks include Wi-Fi networks, for example, such as the Institute for Electrical and Electronics Engineers (IEEE) 802.11a, 802.11b, 802.11n or 802.11ac networks. In addition to providing network connectivity to computing devices such as laptop computers and smartphones, these networks can provide connectivity to various “smart” devices, such as thermostats, water heaters, light control units, etc. To gain access to the network, a new device generally must first be “provisioned” or “enrolled” in the network, generally through a device that is already connected to the network. Enrollment is a process by which a network-enabled device obtains network credentials that enable a secure connection to the network. As just one example, if a Wi-Fi-enabled smartphone is enrolled to a network via an access point (AP), the smartphone can then connect to the network to upload and download data via the Wi-Fi connection.
For conventional wireless networks, a user typically must perform various actions to provision a device. A first technique, known as “Wi-Fi Protected Setup” or “WPS,” may be used if both the AP of the network and the device to be enrolled support WPS-based enrollment. With WPS, a user must physically press a button on both the AP and the device. The two buttons must generally be pressed within a time window, which may be inconvenient when the AP and the device are not in close proximity. Moreover, the button on the device to be provisioned/connected may not be easily accessible (e.g., if the device is a water heater).
A second, PIN-based technique, may also be used. With PIN-based techniques, an alphanumeric PIN code is typically printed or displayed on the AP, which is generally programmed into the AP at the time of manufacture. A user enters the PIN code via a user interface of the device to be enrolled. The AP and the device communicate to authenticate, enroll, and connect the device to the network. But PIN codes may not be simple to use or provide a secure means of enrollment. For example, the device to be enrolled may not have a user interface that provides a convenient method of entering these characters.
Furthermore, since the PIN code typically cannot be changed, anyone who obtains the PIN code can then gain access to the network via the AP, leaving the network prone to access from unauthorized users. Moreover, the PIN code may consist of only a few alphanumeric characters (e.g., 8 or 16) and as a result, PIN code enrollment processes are prone to “brute force” attacks, or repeated attempts to guess the PIN code, thereby gaining unauthorized access to the network. In addition, although devices to be enrolled in a network can be authenticated via unique MAC addresses, such authentication procedures are prone to “spoofing” attacks, since MAC addresses can be copied to another device, which is then authorized and the network potentially subverted. Therefore, providing enrollment processes that are both simple and secure presents several challenges.