Typically this is done by installing a certificate on the device during the initial login. The certificate is encrypted and basically an alternate form of credentials without username and password. Certificates are considered to be very secure. There are mechanisms with certificates to ensure authenticity via trust authorities. Not %100 sure Marriott nor Sofia are using this technique, but I thinking it is likely that they are doing so.


--Jon