Apple · Filed Dec 19, 2025 · Published Jul 9, 2026 · verified — real USPTO data

Apple Patents a Wi-Fi System That Checks Your Credentials Before You Can Join

Most Wi-Fi networks let any device in range start probing them for information. Apple's new patent describes a system where a device has to prove it belongs before the access point will even acknowledge it exists.

Apple Patent: Secure Wi-Fi Access Point Discovery — figure from US 2026/0197638 A1
Figure from the official USPTO publication.
Publication number US 2026/0197638 A1
Applicant Apple Inc.
Filing date Dec 19, 2025
Publication date Jul 9, 2026
Inventors Jarkko L Kneckt, Sidharth R Thakur, Yong Liu, Yanjun Sun, Andrew T Kezys, Pooya Monajemi
CPC classification 713/171
Grant likelihood Medium
Examiner CENTRAL, DOCKET (Art Unit OPAP)
Status Docketed New Case - Ready for Examination (Jan 16, 2026)
Parent application Claims priority from a provisional application 63743540 (filed 2025-01-09)
Document 20 claims

What Apple's pre-connection Wi-Fi verification actually does

Imagine walking into a coffee shop and the Wi-Fi router ignores every device that doesn't already have a secret handshake arranged in advance. That's essentially what this Apple patent describes for protected wireless networks.

Right now, when your phone looks for a Wi-Fi network, it sends out a general request and the router responds with its settings, which are visible to any device nearby. Apple's system would change that: your device first generates a one-time ID using a mix of your device's address, the router's address, and a shared secret key. Only then does the router respond, and only to devices that can produce the right ID.

The whole exchange, including the setup messages that normally travel in the open, gets encrypted before your device ever officially joins the network. The goal is to stop outsiders from snooping on who is connecting to what, or harvesting network configuration details they shouldn't have.

How the STA-ID hash and PASN handshake work together

The patent describes a protocol called BSS Privacy Enhancement (BPE), which wraps the normally unprotected setup phase of a Wi-Fi connection in cryptographic verification.

Here's the sequence:

  • Before connecting, your device (the STA, or station) generates a STA-ID by feeding the router's network address, your device's network address, and a pre-shared cryptographic key into a hash function (a one-way mathematical operation that produces a unique fingerprint from its inputs). This STA-ID changes each session because the input addresses can rotate.
  • Your device sends this STA-ID to the access point in the first message of a Pre-Association Security Negotiation (PASN) procedure, which is a Wi-Fi standard handshake designed to establish security before full connection.
  • The access point checks whether the STA-ID is valid. If it is, it responds with its own PASN message. If not, it stays silent, effectively hiding itself from unauthorized devices.
  • Both sides then independently derive a short-lived transient key (TK) from the exchange and use it to encrypt the management frames, the administrative messages that actually complete the connection.

The result is that the network's security parameters and configuration details are never transmitted in the clear to unverified devices.

What this means for enterprise and public Wi-Fi security

In enterprise environments, hospitals, or secure offices, the ability for any laptop in the parking lot to probe network details is a real reconnaissance risk. This patent closes that window by making the discovery phase itself gated, so an attacker can't even learn what security settings a network uses without already having authorized credentials.

For everyday users, the more immediate implication is tracking prevention. Because the STA-ID is derived from rotating addresses, each connection attempt looks different to outside observers, making it harder to track your device across locations. Apple has been pushing on both fronts, private Wi-Fi addresses and tighter connection security, for several years, and this patent fits that longer pattern.

Editorial take

This is careful, unglamorous security infrastructure work, and that's a compliment. Plugging leaks in the pre-association phase of Wi-Fi is genuinely useful, particularly as MAC address randomization has made device tracking harder and attackers have shifted attention to the connection setup phase itself. It won't ship as a user-facing feature anyone notices, but the absence of the problem it solves is exactly the point.

Which company should we read for you?

We track 17 companies here. Pro is the same weekly breakdown for any company you choose, delivered privately. Type a name and we'll scope it and send you a quote.

Get one Big Tech patent every Sunday

Plain English, intelligent commentary, no hype. Free.

Source. Full patent text and figures from the official USPTO publication PDF.

Editorial commentary on a publicly published patent application. Not legal advice.