Earlier this month, the Wi-Fi Alliance issued a press release announcing the availability of WPA3.
Built on top of several existing but not widely deployed technologies, WPA3 makes several vast improvements over the security provided by WPA2. Most notably, WPA3 should close the door on offline dictionary-based password cracking attempts by leveraging a more modern key establishment protocol called Simultaneous Authentication of Equals (SAE).
This mechanism has some commonality with the Diffie-Hellman key exchange and has already been deployed in some mesh network standards. In addition to thwarting offline password cracking attempts, SAE provides forward secrecy, so that an attacker cannot decrypt previously recorded sessions – even if the WPA3 passphrase is known.
Another huge enhancement in this announcement is the Wi-Fi Device Provisioning Protocol (DPP) to replace the readily exploitable Wi-Fi Protected Setup (WPS).
With DPP, devices can be authenticated to join a network without a password through various means, including QR codes or NFC tags. Unlike existing options, however, this is not simply a mechanism for communicating the password but rather it is a way for devices to perform mutual authentication without a password.
WPA3 also promises to improve security for open networks, such as guest or customer networks in coffee shops, airports and hotels. Although the standard does not appear to protect against a rogue access point, it should prevent passive nearby attackers from being able to monitor communication in the air.
This is because WPA3 supports password-free encryption between stations and access points but does not seem to provide a way for devices to discern between legitimate and rogue access points.
Despite these vast improvements, there is likely no reason for anyone to be rushing out to buy a new router for WPA3 support.
For starters, it is important to recognize that Wi-Fi has a long history of incompatibility among devices following the same standards and, if history is any indicator, it may take some time before there is strong interoperability between vendors.
It’s also important to note that operating systems do not yet have widespread support for WPA3, and overtime it seems likely that some devices will receive software upgrades to enable WPA3.
For now, I think consumers should focus on the basic security tips we’ve been recommending for years.
All things considered, the far greater threat to most people’s Wi-Fi connections comes from the growing number of IoT botnets that leverage default passwords and known vulnerabilities in routers and other devices. Before worrying about WPA3, most consumers will be best served by reviewing my guide for securing home networks to minimize their chances of falling prey to something like VPNFilter.