Setting up Wi-Fi authorization via SMS: A complete guide

Modern service businesses require more than just a wireless network; they also require a comfortable and secure environment for their clients. Establishing a hotspot with SMS authentication is one of the most effective ways to authenticate users, collect contact information, and protect the network perimeter from illegal traffic. Unlike simple passwords, which are easily shared with third parties, SMS gateway ensures that the session is linked to a specific individual who owns the SIM card.

Implementing such a system requires a comprehensive approach, including selecting compatible equipment, setting up an authorization server, and integrating with SMS messaging providers. Network owners must understand the differences between a local phone number database and cloud services to select the optimal architecture for their establishment. Below, we will discuss the technical aspects of implementation in detail. Captive Portal using mobile numbers.

It's important to note that this technology is popular not only in cafes and hotels, but also in large office buildings where access control for employees and guests is required. Proper configuration allows users to be automatically redirected to the login page when attempting to connect to an open network. This creates a professional impression and improves the cybersecurity of internal infrastructure.

Operating principle and system architecture

The basis of the system is the protocol Captive Portal, which intercepts all HTTP requests from unauthorized clients and redirects them to a dedicated login page. When the user enters a phone number, the router or controller sends a request to an external gateway, which generates a one-time code or password and sends it to the specified mobile device. After entering the code, internet access is granted for a specified time interval.

The key element here is RADIUS server, which manages accounts, checks traffic limits, and monitors session time. It is the one that decides whether to allow a user into the network or deny access. In conjunction with a router (for example, MikroTik or Ubiquiti) This mechanism operates transparently for the end user, providing a high level of protection.

⚠️ Please note: By collecting phone numbers, you become the data controller. Ensure that consent to data processing is included on the authorization page, otherwise, legal risks may arise.

There are two main architecture types: on-premises, where the authorization server is located within the enterprise network, and cloud-based, where access control occurs over the internet. On-premises architecture is preferable for facilities with high security requirements where traffic must not leave the building perimeter. Cloud-based solutions are easier to deploy and don't require a dedicated server.

📊 What type of authorization are you planning to implement?
Local server
Cloud service
Hybrid scheme
For employees only

Necessary equipment and software

To implement this project, you'll need network equipment that supports hotspot functionality. The most popular and flexible solution on the market is equipment from MikroTik, which allows for detailed configuration of firewall rules and authorization scripts. However, similar functionality is also available in solutions from Ubiquiti UniFi, Keenetic or specialized controllers Aruba.

In addition to the router itself, a communication channel for sending messages must be provided. This can be a GSM modem connected directly to the authorization server or integration with an SMS provider via an API. The first option requires purchasing a SIM card with an unlimited messaging plan, while the second requires a per-message fee under a contract with the operator.

The table below provides a comparison of the main components of the system for different scales of implementation:

Component Small Office / Cafe Large hotel / shopping center Industrial scale
Router MikroTik hAP ac2 MikroTik CCR / Ubiquiti USG Specialized controller
Authorization server Built into the router Dedicated PC or VPS Server cluster
SMS gateway USB GSM modem IP-SMS gateway (4-8 ports) Integration with SMS aggregator
Database SQLite / File PostgreSQL / MySQL Oracle / MSSQL Cluster

The choice of specific equipment depends on the number of concurrent users. For small access points, a single powerful router is sufficient, while covering larger areas will require a system of multiple access points managed by a single controller. Don't skimp on processor performance, as traffic encryption and script processing require resources.

Setting up MikroTik HotSpot to receive SMS

Setting up a hotspot on the base MikroTik RouterOS is the de facto standard for many integrators. The process begins with activating the HotSpot service on the desired interface and setting up an address pool for clients. Proper DNS and HTTP proxy configuration is crucial to ensure redirection to the login page works correctly for all devices.

To integrate SMS, you need to create a user profile that will call an external script when attempting to log in. In the menu IP -> HotSpot -> User Profiles A new profile is created, where the "On Login" field contains a script for accessing the SMS gateway. This script transmits the phone number and receives a confirmation code.

/tool fetch url="http://sms-gateway.local/send?phone=\$(user-name)&code=\$(random-code)" mode=https-keep-alive

After setting up the server side, you need to adapt the HTML template for the authorization page. The standard template MikroTik You can replace it with a custom one by adding a field for entering a phone number. It's important that the form submits data in the correct format compatible with your processing script.

Don't forget to set session timeouts. For guest networks, it's optimal to limit the connection time per device (e.g., 2-4 hours) with the option to re-authorize. This prevents a single user from hogging the channel all day and also encourages repeat engagement with the brand.

Integration with SMS providers and gateways

The most challenging part is ensuring message delivery. Direct connection to a GSM modem via USB often proves unstable under high load: modems freeze, and SIM cards are blocked by operators for spam-like activity. Therefore, for businesses, it is recommended to use professional IP-SMS gateways or cloud APIs.

Cloud providers provide an API, typically running over HTTP/HTTPS or SMPP. The router or authorization server sends a GET or POST request with parameters for the number and message text. The response from the gateway must be processed by a script: if the message is sent successfully, the user is granted access; if not, an error is returned.

  • 📱 Advantages of cloud gateways: High delivery speed, the ability to use short sender names (for example, "HOTEL_WIFI"), statistics and reports in your personal account.
  • 💰 Economic aspect: Payment is based on traffic volume, allowing for accurate cost forecasting. With larger volumes, the cost per SMS is significantly reduced.
  • ⚙️ Technical reliability: Providers use multiple communication channels (Direct Connect), which guarantees delivery even if one of the operators has problems.

When choosing a provider, look for a two-way channel (Delivery Report). This will allow your system to understand whether the message has reached the subscriber. If the message is not delivered (for example, the number is invalid), the system should notify the user instead of leaving them waiting.

☑️ SMS Integration Test

Completed: 0 / 4

Security issues and protection against abuse

Open networks with SMS authentication are often targeted by attackers. The main threat is number brute-force attacks or the use of bots to generate SMS requests, which can lead to financial losses for the network owner due to the cost of thousands of fake messages. Therefore, implementing security measures is essential.

The first level of protection is CAPTCHA on the number entry page. This is a simple but effective way to block automated scripts. The second level is limiting the number of requests per minute from a single IP address or MAC address. The third level is "whitelisting" and blocking suspicious number patterns.

⚠️ Please note: Telecom operators may block your SIM card or gateway if there is a sudden surge in outgoing traffic. Set sending limits (e.g., no more than 10 SMS per minute) at the hardware level.

It's also important to remember the security of transmitted data. The login page must be protected by an SSL certificate. Even if the traffic itself is not encrypted within the network, login data (phone number) must be transmitted over a secure HTTPS channel. Failure to do so leaves the network vulnerable to man-in-the-middle attacks.

What is MAC filtering in the context of a hotspot?

This method allows the router to remember the device by its physical address after the first successful authorization. The next time the system allows the device to connect to the network, it won't require a second code entry. This is convenient for regular users, but requires careful consideration when setting the retention period.

Alternative methods and future trends

Despite the popularity of SMS, the market is moving towards more modern and cheaper identification methods. Viber, WhatsApp And Telegram They offer sending messages over the internet, which is significantly cheaper than traditional SMS and doesn't depend on cellular network coverage (it even works on tablets without a SIM card, as long as there's Wi-Fi for the initial handshake, although this creates a logical loop that can be resolved using QR codes).

Technology Wi-Fi Easy Connect (DPP) allows you to connect devices simply by scanning a QR code with your smartphone's camera. This eliminates the need to enter passwords or phone numbers. However, for marketing purposes (like building a contact database), classic phone number authentication remains the most convenient, as a phone number is a universal identifier.

The introduction of biometric authentication and integration with government digital profiles is expected in the future. For now, however, the "Wi-Fi + SMS" combination remains the gold standard for hospitality, balancing convenience, security, and marketing effectiveness.

Frequently Asked Questions (FAQ)

How much does it cost to implement SMS authentication?

The cost is determined by the equipment (routers start at 5,000 rubles), the server (if a separate one is needed), and the SMS provider's rates. On average, one message costs 1.5–3 rubles. For small businesses, the initial investment can be 10,000–20,000 rubles.

Is it possible to log in without the internet (offline)?

Completely offline SMS authentication is impossible, as it requires communication with the operator's gateway. However, you can use a local phone number database, where the administrator pre-populates VIP client contacts, or use a GSM modem connected directly to the router, if there is cellular coverage.

What if the guest doesn't have a SIM card or it doesn't have a signal?

In such cases, it's recommended to provide an alternative login method, such as entering a promo code available from the establishment's administrator or logging in via social media. This will improve the user experience (UX).

Do I need to register my hotspot with Roskomnadzor?

According to Russian law, information distribution organizations (IDOs) are required to store connection metadata. Public access points (cafes, hotels) have user identification requirements. SMS authorization helps meet these requirements by linking a session to a specific number.