[cxcorp]

What if the captive portal just had a link (or on an IFE screen, a QR code) that connected your phone to a different, WPA2/WPA3 protected, hidden WiFi SSID that was generated exclusively for you? Phones nowadays support joining a passphrase protected WiFi AP via a QR code, so I'd imagine that's doable. The hard part would be finding routers that support >300 different hidden SSIDs, but honestly I would hope that that is technically feasible nowadays.

That way you'd at least have the protection of the WPA GTK.

[zekica]

You can have an AP accepting multiple different WPA2-PSK and/or WPA3-SAE passphrases, and since on WPA2 PMK depends on the password, and on WPA3 PMK is different for each client, you can put them in different VLANs or have per PMK MAC mapping if they share the same VLAN.

[tpolzer]

The AP still has to send regular beacons for each hidden SSID, taking up air time.

[tharkun__]

This. And even if the >300 is not available, how many people actually buy Wi-Fi on the plane? That is the number of clients that need to be supported. And if that's still a problem (or you don't want to guess), the SSID can be hidden and static and the only thing non-static is the password that works for just the duration of the flight you are on.

[pbhjpbhj]

So you just take a photo of anyone's QR code? I'm not sure the hidden SSID achieves anything, that is presumably plaintext in the wi-fi transmission?

[eru]

That QR code would only be displayed for a short time, and mostly only people sitting directly behind you could snap the picture.

It's not airtight, but better than the system it would be replacing.

[cxcorp]

The hidden SSID stops the users' WiFi list being full of random, password protected SSIDs when they just want to connect to the open portal WiFi.