Wi-Fi 6 will bring enhanced security to Wi-Fi users with Wi-Fi Protected Access 3 (WPA3), the successor to WPA2.
For Wi-Fi 6 access points to obtain certification through the Wi-Fi Alliance, they must support WPA3.
WPA3 provides the latest security protocols, robust authentication, and increased cryptographic strength. It builds upon and improves WPA2, which was released in 2004.
We’re still waiting for widespread support from device manufacturers. Newer devices with Wi-Fi 6 capability must support WPA3.
Why Use WPA3
It is mandatory to support WPA3 in Wi-Fi 6/6E. There are a few enhancements in WPA3 that improve Wi-Fi security.
Protected Management Frames
Protected Management Frames (PMF) or Management Frame Protection (MFP) is now mandatory. PMF is not new. In fact, it is optional in previous Wi-Fi generations. PMF provides protection against deauthentication attacks, honeypots, and evil twin attacks.
We’ve seen quite a few deauthentication attacks from spoofed access points which result in devices disconnecting from the Wi-Fi network.
Simultaneous Authentication of Equals (SAE)
The predecessor, WPA2, had vulnerabilities attacking the way cryptographic keys were processed. Simultaneous Authentication of Equals (SAE) improves the security of password-based authentication and protects the 4-way Handshake.
SAE is not new. It was introduced in 802.11s for mesh networking and is robust against passive attacks and dictionary attacks.
Critical for keeping data private over Wi-Fi is the use encryption. WPA3-Enterprise introduces 192-bit encryption mode. The benefit is having much stronger cryptography.
Not all devices currently support WPA3. There is a transition configuration to allow both WPA2 and WPA3 devices.
Those two transition modes are:
- WPA3-Personal Transition
- WPA3-Enterprise Transition
In a transition mode, we are ensuring WPA3-supported devices connect to Wi-Fi using WPA3. And clients that do not support WPA3 connect to Wi-Fi using WPA2.
The WPA3-only modes:
The the latter two modes, we eliminate the use of legacy and deprecated security functions.
When Should You Migrate
You can start transitioning today with WPA3 transition mode. This will enable both WPA2 and WPA3, allowing unsupported devices to continue to connect and allowing WPA3-capable devices to move on to the next iteration of Wi-Fi security.
Device support will dictate how quickly we can move away from WPA2.
By using a transition mode, you can broadcast a single SSID, instead of provisioning a second.
Take inventory of your devices to understand what security functions they support. Ideally, it is better to migrate to WPA3 to strengthen your Wi-Fi security posture but not at the expense of stranding unsupported devices.
See how to configure WPA3 in the Mist dashboard