T-Mobile HotSpot offers secure login via 802.1X authentiation starting Tuesday with their own manager software, other 802.1X client software: T-Mobile has set the bar higher on hot-spot security by layering the 802.1X authentication process to allow individual logins through encrypted methods that provide a unique WPA (Wi-Fi Protected Access) key to each user. This prevents users on a network from seeing each other's credentials or traffic.

Joe Sims, the vice president of hot spots for T-Mobile, said in an interview Monday that security of hot spots has "kept Wi-Fi from being even greater than it is." Sims pointed out that "a lot of folks in the industry have been using other methodologies, such as VPNs [virtual private networks], which are very good."

However, not all of T-Mobile's users have access to VPN service, and the IT directors of companies with VPNs still want more security layered on top of their own efforts. "It's going to be another layer of enhanced security that corporations can depend upon," Sims said.

In 802.1X, access to the network beyond the access point is limited until a client authenticates itself through some method, typically a user name and password. The access point hands off the task of authentication to a back-end server, which tells the access point when the authentication has succeeded. In a secured 802.1X transaction, the client (called a supplicant) opens an encrypted tunnel to the back-end server to further protected credentials in transit against attempts to capture and then later crack or replay them.

For users with VPNs, the 802.1X transaction prevents details such as the IP address of the VPN server from being revealed, and could also prevent any putative VPN exploits from being usable in a hot spot. T-Mobile's 802.1X service is especially useful for consumers and travelers without VPNs as it provides them an effective defense against casual sniffers. Given T-Mobile's hot spot infrastructure, it would require physical intrusion and more to gain access to the network's traffic -- not just passive interception.

Explaining 802.1X is one of the problems with offering it, T-Mobile executives agreed. "It's a bunch of numbers; it seems like a bunch of gobblety-gook," Sims said. Just like Wi-Fi turned 802.11 standards into a household term, Sims thinks that 802.1X needs a "cool name" because "its time has come."

T-Mobile will offer an updated Connection Manager application for Windows that includes the 802.1X support. The software is a free download, and CDs containing the software will be available at hot spots like Starbucks and at T-Mobile's corporate cellular retail stores. However, Sims confirmed that standard 802.1X clients such as those included in Mac OS X 10.3 and Microsoft Windows XP will also work with the system.

For Connection Manager users, the update won't change the method by which they log in: 802.1X support has been added beneath the surface. "We tried to make it very seamless," said Paul Lopez, the senior product manager of advanced technology at T-Mobile.

During a transition phase of undetermined duration, T-Mobile will use VLANs (virtual LANs) to offer both the older, gateway-page based login, and the newer 802.1X service. The rollout is initially U.S. based in the 4,800-plus locations here. Sims said that European operations have about 3,500 locations, and that T-Mobile expects to top 10,000 hotspots in the U.S. and internationally combined by year's end with about 6,000 in the US and over 4,000 in Europe.

Sims has high hopes for the technically named 802.1X's more easily understood outcome: "This may be the tipping point for enterprises to more broadly adopt Wi-Fi."