Today, a little over five months after it was announced in January, WPA3, a new Wi-Fi security protocol and the successor to WPA2, is finally official. The Wi-Fi Alliance, the nonprofit organization that certifies Wi-Fi networking standards, introduced a certification program for the two forthcoming flavors of WPA3 — WPA3-Personal and WPA3-Enterprise — alongside Wi-Fi Easy Connect, a new program that simplifies the process of pairing Wi-Fi devices without displays.
“It’s the next generation of security for personal and enterprise networks,” Kevin Robinson, vice president of marketing at the Wi-Fi Alliance, told VentureBeat in a phone interview. “One of the most important roles for the Wi-Fi Alliance is to ensure that the industry is staying ahead of emerging threats.”
WPA, an acronym for Wi-Fi Protected Access, authenticates wireless devices using the Advanced Encryption Standard (AES) protocol. It’s intended to prevent malicious third parties from spying on wireless data, but in October 2017, security researchers uncovered KRACK, a flaw in WPA2 that allows determined attackers to see, decrypt, and even manipulate network traffic. In the intervening months, most newer phones, laptops, and Wi-Fi routers received firmware updates containing patches for the exploit, but WPA3 was engineered from the ground up to address WPA2’s technical shortcomings.
WPA3-Personal and WPA-Enterprise networks have a few things in common. They both disallow legacy protocols, meaning that WPA2 devices can’t connect to WPA3-exclusive hotspots that don’t have a special transitional mode enabled, and they require Protected Management Frames (PMF), which prevent folks from eavesdropping on or kicking clients off of a network. But that’s where the similarities end.
WPA3-Personal is optimized for smaller, one-password networks in homes and apartments, and has an authentication mechanism that’s resistant to what’s known as a dictionary attack, in which hackers intercept traffic between a client and Wi-Fi router and use a graphics card or cloud computing service to iterate through all possible passwords. Previous WPA protocols were susceptible to it, but with WPA3, it’s not so easy.
That’s because unlike WPA2, which authenticates devices to the network with a 4-way handshake, WPA3 uses Simultaneous Authentication of Equals (SAE), a protocol that both hardens security at the point of key exchange and protects data traffic even if the password is later compromised.
“For every guess of the password, devices have to interact with each other,” Robinson explained. “Importantly, the connection experience is the same to users. It requires no change in behavior whatsoever.”
WPA3-Enterprise, a protocol intended for large-scale Wi-Fi deployments in corporate environments, offers a slightly different set of protections: a 192-bit security suite that’s aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems. It’s tailor-made for industrial, defense, and government networks with high-security requirements.
“It offers greater consistency in the application of security protocols … and better network resiliency,” Robinson said.
WPA3 isn’t the only new protocol heading to Wi-Fi routers in the coming months. Wi-Fi Easy Connect, a new connection protocol for WPA2 and WPA3 networks, lets users add devices with limited or no display interface to a network by scanning QR codes. It’s different from Wi-Fi Protect Setup, or WPS, which requires tapping a physical button on the router and client.
“Each Wi-Fi Easy Connect device will have a QR code or a piece of paper inside the box,” Robinson said. “You snap a picture with your phone to onboard it.”
Wi-Fi Easy Connect can be implemented alongside WPS, but the Wi-Fi Alliance is leaving that choice up to manufacturers.
WPA3 and Wi-Fi Easy Connect won’t hit the mainstream right away — Robinson expects to see a surge in 2019, when certification for the next-generation Wi-Fi standard, IEEE 802.11ax, begins — but a few of the Wi-Fi Alliance’s more than 800 members are wasting no time getting the ball rolling. Earlier this year, Qualcomm said it would add support for WPA3 to its flagship system-on-chips as soon as June.
Luckily, WPA2 — which is currently used by around 60 percent of access points, according to Wi-Fi survey website Wigle.net — isn’t going the way of the dodo anytime soon.
“[WPA3] will eventually become mandatory. By the time you see the next generation of Wi-Fi hitting the market, you’ll see very strong if not universal adoption,” Robinson said. “However, while we’re focusing on next-gen Wi-Fi security, the Wi-Fi Alliance continues to maintain and update WPA2.”