OUR WRITERS AT A GLANCE
  • 3000+ writers
  • From all 50 states
  • Top 4% of all who apply
IT & Data Security

WPA3—The New Standard Of WiFi Security

By a Verblio Writer

(1031 words)

WPA2 has been the gold standard for WiFi for over a decade. Or perhaps we should say the “old” standard; it’s been around for fifteen years. While it hasn’t been broken, it has issues that need updating. It doesn’t have strong protections against brute-force password guessing. The KRACK vulnerability, discovered in 2017, has raised concerns. Breaking the security on a WPA access point lets an intruder decrypt previously intercepted data. It’s time for an update.

There is an update now, and it’s appropriately called WPA3. The WiFi Alliance released the standard in June 2018. Manufacturers already had access to pre-release versions of it and are well on their way to making devices available. Clients and routers that support WPA3 can fall back to WPA2 when communicating with devices that don’t support the newer standard.

Public WiFi with security

Public WiFi, such as you find in shopping malls and libraries, doesn’t require a password. Its current state is, to put it bluntly, disastrous. WPA2 requires a password, so public connections have to fall back to a completely unprotected communication mode. There’s no encryption. Anyone with some simple equipment can intercept the traffic, picking up personal communications. If a site asks for passwords without using HTTPS, they’re sent as plain text for anyone to read.

WPA3 uses opportunistic wireless encryption (OWE) for public hotspots without a password. Each connected user gets a different encryption key. People will be able to use public networks without the fear that someone is watching every byte they send and read. However, OWE doesn’t provide authentication, so it doesn’t protect against SSID impersonation.

security browser mobile phone

Other security improvements

Two levels of security are available with WPA3. Both of them offer significant improvements over WPA2. The Personal level uses a 128-bit key, and the Enterprise level uses a 192-bit key. In addition to using stronger keys, Enterprise WPA3 uses algorithms based on the CNSA suite for authenticated encryption, key derivation and authentication, and management frame protection.

WPA3 features an improved handshake for entering the password and establishing a secure connection. Currently, someone trying to guess a password can capture the handshake, take the data offline, and test any number of passwords till they get one that works.

With the new validation mechanism, called Simultaneous Authentication of Equals, that won’t be possible. Each authentication attempt requires the active participation of both sides. Someone who gets the password wrong too many times will be blocked from further attempts. If a snooper does succeed, the handshake provides forward secrecy, meaning that the information obtained won’t let the intruder decrypt earlier traffic.

What does Verblio do, exactly? Learn more here. 

Setting up headless devices

Right now it’s a pain to set up a WPA2 connection for a “headless” device, one with no console or keyboard. WiFi Protected Setup (WPS) works after a fashion, but it’s clumsy and insecure. Just having it enabled is a security risk.

Printers commonly use a WiFi connection, and so do a growing number of IoT devices. The need to set up WiFi where there’s no console or GUI is greater than ever. WPA3 replaces WPS with WiFi Easy Connect. The new approach lets the user set up connections for all supported devices by entering a string or scanning a QR code on a phone or computer. Devices will come with a QR code printed on the gadget or package to make setup easy.

Easy Connect will be available for WPA2 as well as WPA3. However, the device being set up needs to support Easy Connect, so this approach can’t be used with old devices.

Making the upgrade

WPA3 routers are just starting to become available. In most cases it won’t be possible to upgrade existing hardware. The Wi-Fi alliance requires WPA3 devices to be certified, and companies would rather certify new hardware rather than apply for certification on their older machines. Deploying WPA3 will require getting at least a new network card and router, and they aren’t likely to be widely available until 2019. Upgrading a whole network to WPA3 will be a rather expensive proposition.

At some point, support for the new protocol will be required for WiFi certification, just as support for WPA2 currently is. This is several years off, though.

A network needs to start by upgrading its routers. They’ll be compatible with WPA2, so they’ll be usable whether or not clients can use the new protocol. A WPA3 network card, on the other hand, won’t offer any advantage until there’s an upgraded router for it to talk to.

Public hotspots won’t be able to drop their existing, insecure service until most people have WPA3. This will take a few years. In the interim, they’ll have to set up a service that tries to negotiate a WPA3 connection and falls back to an unencrypted one if that fails. Alternatively, they can set up WPA3 as a premium service alongside the existing one. That would give clear assurance to customers that they have a secure connection.

Some devices don’t get replaced very often. A smart refrigerator which you buy today could still be in your home in twenty years. If it doesn’t support WPA3 or Easy Connect, it never will. There will be legacy WPA2 appliances for a long time to come.

Strategic considerations

Upgrade decisions are a part of business strategy, especially when there’s a big jump in technology. Businesses need to decide whether they should delay buying new communication equipment until it has WPA3 capability. If they can hold off for a year, it could be a good idea. Otherwise it depends on how high a priority enhanced security is.

Public, unencrypted networks have the most to gain, but they’re less likely than security-conscious businesses to have the motivation or budget. A large building, such as a shopping mall, will need upgraded repeaters as well as routers, so the cost will be significant. Hotels may be among the first to upgrade, since their business customers worry about leaking information. For most businesses, the process will be a gradual one.

It’s a time of opportunity and uncertainty. The people who make hardware decisions need to ask their vendors when WPA3 equipment will be available and plan their upgrade strategy accordingly.

Questions? Check out our FAQs or contact us.