Wi-Fi® is an integral part of daily life. Billions of people the world over depend on Wi-Fi in their homes and businesses, to shop, bank, coordinate life, and stay connected. Securing Wi-Fi connections is an important element of securing personal data, and Wi-Fi Alliance® has been on the forefront of evolving Wi-Fi security as the number of Wi-Fi devices in use worldwide has grown.
Since 2003, Wi-Fi Alliance has enabled individuals and businesses to increase the protection of information moving across Wi-Fi networks through the Wi-Fi Protected Access® family of technologies. Security features of Wi-Fi Protected Access constantly evolve to include stronger protections and new security practices as the security landscape changes.
The Wi-Fi Protected Access security family includes solutions for personal and enterprise networks.
Wi-Fi CERTIFIED WPA3™
WPA3™ is the next generation of Wi-Fi security and provides cutting-edge security protocols to the market. Building on the widespread success and adoption of Wi-Fi CERTIFIED WPA2™, WPA3 adds new features to simplify Wi-Fi security, enable more robust authentication, deliver increased cryptographic strength for highly sensitive data markets, and maintain resiliency of mission critical networks. All WPA3 networks:
- Use the latest security methods
- Disallow outdated legacy protocols
- Require use of Protected Management Frames (PMF)
Since Wi-Fi networks differ in usage purpose and security needs, WPA3 includes additional capabilities specifically for personal and enterprise networks. Users of WPA3-Personal receive increased protections from password guessing attempts, while WPA3-Enterprise users can now take advantage of higher grade security protocols for sensitive data networks.
WPA3, which retains interoperability with WPA2™ devices, is currently an optional certification for Wi-Fi CERTIFIED devices. It will become required over time as market adoption grows.
WPA3-Personal brings better protections to individual users by providing more robust password-based authentication, even when users choose passwords that fall short of typical complexity recommendations. This capability is enabled through Simultaneous Authentication of Equals (SAE), which replaces Pre-shared Key (PSK) in WPA2-Personal. The technology is resistant to offline dictionary attacks where an adversary attempts to determine a network password by trying possible passwords without further network interaction.
- Natural password selection: Allows users to choose passwords that are easier to remember
- Ease of use: Delivers enhanced protections with no change to the way users connect to a network
- Forward secrecy: Protects data traffic even if a password is compromised after the data was transmitted
Enterprise, governments, and financial institutions have greater security with WPA3-Enterprise. WPA3-Enterprise builds upon WPA2 and ensures the consistent application of security protocols across the network.
WPA3-Enterprise also offers an optional mode using 192-bit minimum-strength security protocols and cryptographic tools to better protect sensitive data:
- Authenticated encryption: 256-bit Galois/Counter Mode Protocol (GCMP-256)
- Key derivation and confirmation: 384-bit Hashed Message Authentication Mode (HMAC) with Secure Hash Algorithm (HMAC-SHA384)
- Key establishment and authentication: Elliptic Curve Diffie-Hellman (ECDH) exchange and Elliptic Curve Digital Signature Algorithm (ECDSA) using a 384-bit elliptic curve
- Robust management frame protection: 256-bit Broadcast/Multicast Integrity Protocol Galois Message Authentication Code (BIP-GMAC-256)
The 192-bit security mode offered by WPA3-Enterprise ensures the right combination of cryptographic tools are used and sets a consistent baseline of security within a WPA3 network.
Wi-Fi CERTIFIED WPA2
WPA2 continues to provide security and privacy for Wi-Fi networks and devices throughout the Wi-Fi ecosystem. WPA2 devices will continue to interoperate and provide recognized security that has been its hallmark for more than a decade.
The WPA2 certification program has continually evolved to meet security needs as the security environment changes. In 2018, Wi-Fi Alliance augmented existing security protections for networks through these configuration, authentication, and encryption enhancements:
- Mandatory use of Protected Management Frames, available in all current generation Wi-Fi CERTIFIED devices, maintains the resiliency of mission-critical networks
- Enhanced validation of vendor security implementations reduce the potential for vulnerabilities due to network misconfiguration and further safeguard managed networks with centralized authentication services
Since 2006, all Wi-Fi CERTIFIED™ devices implement WPA2.
WPA2 will continue to evolve to meet standards for interoperability and security in all Wi-Fi CERTIFIED devices. WPA2 will be available in Wi-Fi CERTIFIED devices for the foreseeable future, and all devices supporting WPA3 will continue to work with WPA2 devices.
Users access Wi-Fi networks everywhere: at home, in the office, in hotels, shopping malls, transportation hubs, and municipal locations. Accessing unsecured networks in these locations presents a risk that someone could acquire personal data, which is why Wi-Fi Alliance highly recommends users ensure they access secure, authenticated networks whenever possible. However, there are situations where an open Wi-Fi network is the only feasible option. While many consumers worldwide utilize open networks with no issue, it is important to be aware of the risk an open network presents, and to be diligent in protecting user data. To address these risks, Wi-Fi Alliance has developed a solution to benefit users of open Wi-Fi networks.
Wi‑Fi CERTIFIED Enhanced Open™ is a Wi-Fi Alliance certification that preserves the convenience open networks offer while reducing some of the risks associated with accessing an unsecured network. Wi-Fi Enhanced Open™ networks provide unauthenticated data encryption to users, an improvement over traditional open networks with no protections at all. These protections are transparent to the user. Based on Opportunistic Wireless Encryption (OWE) defined in the Internet Engineering Task Force (IETF) RFC8110 specification and the Wi‑Fi Alliance Opportunistic Wireless Encryption Specification, Wi-Fi Enhanced Open benefits users by providing data encryption that maintains the ease of use of open networks, and benefits network providers because there are no public passphrases to maintain, share, or manage.
Because Wi-Fi Enhanced Open is a Wi-Fi CERTIFIED™ program, the technology is interoperable with legacy networks, even those using a captive portal. Network operators wishing to deploy a fully-featured authentication and device-provisioning solution should consider approaches such as Wi‑Fi CERTIFIED Passpoint®.
|Wi-Fi Alliance® introduces Wi-Fi CERTIFIED WPA3™ security|
|Wi-Fi CERTIFIED Enhanced Open™: Transparent Wi-Fi® protections without complexity|
|Wi-Fi CERTIFIED Enhanced Open™ delivers data protection in open Wi-Fi® networks|
|Wi-Fi security is starting to get is biggest upgrade in over a decade|
|WPA3 Wi-Fi is here, and it’s harder to hack|
|Wi-Fi Alliance introduces WPA3 and Wi-Fi Easy Connect|
- What does “security” mean in the context of Wi-Fi?
In the context of Wi-Fi technology, security means two things. First, controlling who can connect to and configure your network and equipment. Second, it means securing the data travelling wirelessly across your Wi-Fi network from unauthorized view.
Wi-Fi security is just one aspect of security for networks. A protected Wi-Fi network is a great start, but you should also consider measures to protect your computer (virus software, firewall, etc.) and your communications across the internet virtual private network (VPN), etc.
- What is the KRACK attack?
This term refers to a potential key reinstallation vulnerability detected in late 2017. Wi-Fi Alliance took steps immediately to ensure users can continue to count on Wi-Fi to deliver strong security protections. For more information on this issue view our security update.
- What are Protected Management Frames?
Wi-Fi CERTIFIED WPA2 with Protected Management Frames and Wi-Fi CERTIFIED WPA3 provide protection for unicast and multicast management action frames. Unicast management action frames are protected from both eavesdropping and forging, and multicast management action frames are protected from forging. Wi-Fi CERTIFIED™ ac and WPA3 devices require Protected Management Frames. They augment privacy protections already in place for data frames with mechanisms to improve the resiliency of mission-critical networks.
- What security measures should I take when working away from my home?
Configure Wi-Fi client devices (laptops, handsets, and other Wi-Fi enabled products) to enable security protections.
Configure for approved connections: Many devices are set by default to sense and automatically connect to any available wireless signal. Wi-Fi Alliance recommends that you configure your device to not automatically connect to an open network without your approval.
Disable sharing: Wi-Fi enabled devices may automatically enable themselves to sharing / connecting with other devices when attaching to a wireless network. File and printer sharing may be common in business and home networks, but this should be avoided in a public network such as a hotel, restaurant, or airport hotspot.
Users may also wish to use complementary security measures to improve the security of their activity over the internet including virtual private networks (VPNs), firewalls, etc.
- Are Wi-Fi CERTIFIED products protected by security?
Yes. All Wi-Fi CERTIFIED products are tested for WPA2 or WPA3. The only way to be sure that a product meets the latest security standards is to purchase only Wi-Fi CERTIFIED products.
- What are “legacy protocols”?
Other legacy protocols are earlier generations of Wi-Fi security, which have been updated or replaced over time due to the changing security landscape needs. The original security standard was Wired Equivalent Privacy (WEP). It was replaced by the original Wi-Fi Protected Access (WPA) in 2003 as an interim solution to the limited protection offered by WEP. The WPA program added support for Temporal Key Integrity Protocol (TKIP) encryption, an older form of security technology with some vulnerability to cryptographic attacks. WPA was replaced in 2004 with more advanced protocols of WPA2.
Though the threat of a security compromise is small, users should not purchase new equipment which supports only WPA with TKIP. Only devices supporting WPA2 and WPA3 security should be purchased and used.