Implementing Wi-Fi authentication via SMS for businesses

Providing public internet access to clients is more than just providing a password; it's a fully-fledged marketing tool that allows you to build a contact database and increase loyalty. SMS authorization Transforms a simple access point into a powerful communication channel, where network access is achieved by verifying a phone number. This solution is ideal for cafes, hotels, shopping centers, and coworking spaces, where it's important not only to provide internet but also to identify the user.

Implementing such a system requires an understanding of the interactions between the client device, the access point, and the carrier's gateway. You will need to configure Captive Portal, which will intercept requests from unauthorized users and redirect them to a phone number entry page. After the form is submitted, the data is transferred to the server, which generates and sends unique confirmation code.

The key advantage of this approach is high conversion: users are accustomed to entering a phone number and are willing to share it for quick access. Furthermore, it provides a basic level security and allows for traffic tracking based on real subscribers, not anonymous MAC addresses. Next, we'll discuss the technical aspects of selecting the hardware and software platform.

How a hotspot works with an SMS gateway

A fundamental element of the system is the protocol for interaction between the router and the external service. When a guest connects to the Wi-Fi network, their device automatically opens the authorization page (Captive Portal). At this stage, the router acts as an intermediary, blocking all traffic except requests to the authorization server. This is standard behavior for the protocol. IEEE 802.11 in public places.

After the user enters their phone number and clicks the "Get Code" button, the router or controller sends an HTTP/HTTPS request to the SMS service provider's external server. This server, in turn, communicates with the GSM gateway or mobile operator API. Response time is critical here: a delay of more than 10-15 seconds can cause the user to simply close the page.

⚠️ Attention: SMS delivery speed depends on the operator's bandwidth and the gateway used. For businesses, it's critical to choose providers with direct channels (Direct Connect) rather than cheap aggregators with long queues, as this directly impacts your store's traffic.

It's important to understand the difference between on-premises and cloud-based authentication. In the former case, router It manages the process itself, but requires a SIM card or a GSM modem. In the latter, all the logic is moved to the cloud, and the router merely forwards requests. Cloud solutions are often more flexible, as they allow you to change rates and mailing settings from a single control center.

📊 What type of business are you planning to equip with Wi-Fi?
Cafe or restaurant:Hotel or hostel:Shopping center:Coworking or office

Selecting equipment: routers and controllers

Not every network device supports hotspot functionality with external authentication. You'll need enterprise- or provider-grade equipment. The market leader here is the MikroTik, which, thanks to the operating system RouterOS allows you to implement virtually any authorization logic through the built-in HotSpot server.

Access points from can be used as an alternative Ubiquiti UniFi or TP-Link Omada, which have built-in controllers with support for external portals. However, their standard functionality is often limited to basic authorization, and full SMS functionality may require installing third-party plugins or using an external RADIUS server.

When choosing hardware, pay attention to the processor's throughput. Encrypting traffic and handling multiple simultaneous connections creates a high load. If you plan to serve more than 50 concurrent users, budget home routers won't be up to the task. NAT and packet filtering.

Below is a comparative table of popular solutions for implementing this task:

Equipment HotSpot support Difficulty of setup Price
MikroTik hAP ac2 Native (RouterOS) High Average
Ubiquiti UniFi AP Via controller Average High
TP-Link Omada EAP Via controller Average Low
Keenetic (business series) Limited Low Average

Software platforms and gateway providers

Hardware alone won't send SMS. You need a software layer—a billing system or a hotspot service. There are ready-made SaaS solutions on the market, such as Wi-Fi Monster, Beget Wi-Fi or Hotspot SystemThese platforms provide a ready-made interface, login page templates, and APIs for integration with routers.

Using ready-made platforms significantly speeds up the implementation process. You don't need to write code or configure complex scripts on the router side. Simply register with the service, top up your SMS balance, and bind your router's MAC address or install a special authorization script. This is especially important for small businesses that don't have a built-in platform. system administrator.

However, if you own a large chain of establishments, it makes sense to consider the option of deploying your own authorization server based on FreeRADIUS And PHP/Python scripts. This gives you complete control over user data and allows you to integrate authorization with your CRM system or loyalty program.

How does CRM integration work?

Upon successful authorization, the service can send a webhook request to your server, passing the client's phone number. This allows you to automatically create a client card or award bonuses.

The cost of SMS messages varies depending on the operator and traffic volume. When choosing a provider, look for a two-way channel (the ability to receive incoming SMS or replies), although outgoing messages are usually sufficient for authorization. Also, check the delivery terms for short and long codes.

Step-by-step setup using MikroTik as an example

Let's look at the setup process based on the hardware MikroTik, as this is the most flexible and common option. The first step is to create a HotSpot profile and configure a DHCP server that will assign IP addresses to guests before they authenticate. A separate address pool is typically created for this purpose.

Next, you need to configure Walled Garden. This is a list of addresses available to the user before authorization. Your SMS provider's domains must be included in this list so that the number entry page and request submission script work correctly. Without this, the user will see a connection error.

/ip hotspot profile

set name=hsprof1 hotspot-address=10.5.50.1 dns-name=login.mikrotik

/ip hotspot walled-garden

add dst-host=api.sms-provider.com

add dst-host=www.sms-provider.com

The next step is to create an HTML login page. You can use the standard MikroTik template or upload your own custom design. In the form (<form>) action must point to the $(link-login-only) address, and the method must point to POSTThe form fields must meet the requirements of your billing system.

☑️ Pre-launch checklist

Completed: 0 / 1

After configuring the router's logic, you need to link it to the SMS messaging service. In the MikroTik interface, this is done through the "SMS" tab. WISPs or by writing a script in On Login, which will send a request to an external server with user parameters.

Login Page Design and UX

The success of a system implementation depends not only on the technology but also on the user-friendliness of the interface. The login page is the first thing a client sees. It should be as lightweight as possible, load quickly even with a weak signal, and have a responsive design for mobile devices. Avoid complex graphic elements that add weight to the page.

The phone number input field should be prominent, and the action button should have a high-contrast color. Be sure to include an input mask that automatically adds the country code (+7 or +380) to save users time formatting. Validation errors (such as "invalid number format") should be displayed immediately and clearly.

⚠️ Attention: According to personal data laws, the login page must include a link to the privacy policy and a consent checkbox for data processing. Failure to do so may lead to legal risks.

It's considered good practice to include branding elements, such as the establishment's logo, corporate colors, and a welcome message. This creates a sense of security and confirms that the user is connected to your network and not to a fake access point belonging to an attacker.

Legal aspects and data security

Collecting phone numbers is considered personal data processing. You are obligated to ensure that this data is stored in accordance with local laws (in Russia, this is Federal Law No. 152-FZ). The data must be stored on servers located within the country and protected from unauthorized access.

Usage HTTPS The HTTP protocol for the login page is a mandatory requirement of modern browsers and security standards. If the page opens over HTTP, browsers may mark it as "Not Secure," which will discourage customers. To do this, you'll need an SSL certificate, which can be obtained for free (for example, Let's Encrypt) or purchased from a certificate authority.

It's also important to restrict network access rights after authorization. The guest network should be isolated from your internal corporate network (LAN), which contains POS terminals, accounting, and servers with sensitive information. Use VLANs to segment traffic.

What to do if your phone number database is leaked?

In the event of a data compromise, you are obligated to notify the regulator and the users themselves. Therefore, choose SMS providers that guarantee database encryption and do not share their data with third parties.

Regularly update router and controller software. Manufacturers often patch vulnerabilities in authentication protocols that could allow hackers to hijack sessions or redirect users to phishing sites.

Frequently Asked Questions (FAQ)

How much does one SMS for authorization cost?

The cost depends on the chosen provider and the volume of purchased packages. On average, the price ranges from 1.5 to 3 rubles per message for large volumes. For smaller locations, the price can be higher—around 4-5 rubles. Some services offer hybrid models: the first SMS is charged, but repeat messages throughout the day are free.

Do I need to register my access point with Roskomnadzor?

Yes, according to Russian law, information dissemination organizations (IDOs), which include owners of public Wi-Fi networks, are required to identify users. SMS authorization is one of the legal ways to fulfill this requirement, along with authorization through the Unified Identification and Authentication System (Gosuslugi).

Is it possible to implement this on a regular home router?

Theoretically possible on advanced models (for example, Keenetic with firmware KeenOS or routers with firmware OpenWrt), but this will require in-depth technical knowledge and the installation of third-party software. For stable business operation, it's better to use specialized equipment.

What happens if the user's balance runs out?

Incoming SMS messages (receiving a confirmation code) typically don't require a positive balance on the user's SIM card. Operators allow you to receive these messages even with a zero or negative balance, as long as the number isn't permanently blocked.

How long are authorization logs stored?

The retention period for logs is regulated by law (the Yarovaya Law and related regulations). Typically, data on the transfer of information must be retained for a certain period (from 6 months to 3 years, depending on the type of data and the regulator's current requirements).