8 things your security team needs to know about WPA3

All new Wi-Fi devices must now be WPA3-certified, and this has implications for how you manage the security for wireless connections in both the office and for home-based employees.

A router sits on a table amid abstract digital connections as a man works from a sofa in background.
LightField Studios / Kingwin / Getty Images

Wi-Fi Certified WPA3, the latest generation of Wi-Fi security certification for protecting enterprise networks, is now mandated for use in all Wi-Fi devices. The bolstered security for wireless networks comes at a good time with so many more people working from remote locations and threats rising.

What is WPA3?

WPA3 was introduced in June 2018 by the Wi-Fi Alliance, a worldwide network of companies that deliver Wi-Fi technology. It’s the third and current generation of the Wi-Fi Protected Access (WPA) security certification program, which first became available in 2003.

The Wi-Fi Alliance intended WPA to be an intermediate step in anticipation of the more secure and complex WPA2, which became available in 2004.

The Wi-Fi Certified “seal of approval” from the alliance designates products with proven interoperability, backward compatibility, and the highest industry-standard security protections in place.

Why WPA3 is needed

Concerns about the security of public Wi-Fi networks have been around for some time, and the threats have certainly not gone away. A July 2020 report from cyber insurance provider HSB, part of Munich Re, shows an ongoing increase in identity theft, cyber attacks, and online fraud as cyber criminals steal personal information and millions of dollars.

As part of the research, HSB commissioned Zogby Analytics to conduct a survey of 1,515 US consumers, and found that a majority were concerned that they could be hacked or have their personal data stolen while on a public Wi-Fi connection.

About one-quarter of those surveyed said their identities had been stolen, up 5% over similar HSB surveys in 2018 and 2016. One-third said they had experienced a cyber attack, with computer viruses or other malware being the most typical damage (cited by 72%). Nearly one-quarter of respondents (23%) had their email or social media accounts interfered with, taken over, or used by an unauthorized person.

Meanwhile, demand for Wi-Fi continues to increase. A recent report by Markets and Markets predicts that the Wi-Fi as a service market will grow from $3.4 billion in 2020 to $8.4 billion by 2025, at a compound annual growth rate (CAGR) of 20 percent during the forecast period.

Due to the coronavirus pandemic many organizations that do not offer company-owned mobile devices are now promoting and adopting bring-your-own-device (BYOD) policies, the report says. This enables employees to gain access to enterprise data on their mobile devices via Wi-Fi.

Among the factors keeping companies from moving ahead with Wi-Fi as a service endeavors are data security and privacy concerns. Maintaining the privacy and confidentiality of organizational data is critical, the report says, so companies are reluctant to expose their data.

Efforts such as WPA3 are intended to address security threats and vulnerabilities that plague wireless networks and give organizations more peace of mind. Here are eight things cybersecurity teams should know about the certification.

1. WPA3 certification is now required for all Wi-Fi devices

The latest certification became mandatory on July 1, 2020 for all new Wi-Fi Certified devices, according to Kevin Robinson, a senior vice president at Wi-Fi Alliance.

“For the last two years [WPA3] was optional,” says Philip Solis, research director, Connectivity and Smartphone Semiconductors, at research firm International Data Corp. (IDC). “New Wi-Fi-enabled products coming out now may be out there for the next two years or up to 20 years. It’s important to use the newest security standard for Wi-Fi now, and it’s not an option any longer.”

2. WPA2 devices will interoperate with WPA3

WPA3 builds on the widespread adoption of WPA2, adding features to simplify Wi-Fi security, enable stronger authentication, and deliver increased cryptographic strength for highly sensitive data markets and to maintain resiliency of critical networks, Robinson says.

As the Wi-Fi industry shifts to WPA3 security, WPA2 devices will continue to interoperate and provide recognized security, but experts say an upgrade is clearly due. “WPA2 is 15 years old now. It’s time to move to something newer,” Solis says.

WPA3 is interoperable with WPA2 in Transition Mode, Solis says. “This is less secure than only using WPA3,” he says. “Now that WPA3 is required going forward, consumer Wi-Fi networks will become more secure over time and enterprise networks can soon only allow WPA3-enabled client devices to connect to them.”

3. WPA3 has a mode for individual users

The new certification has a distinct mode of operation for individual users, called WPA3-Personal. It has password-based authentication even when users choose passwords that fall short of typical complexity recommendations. “The technology is resistant to offline dictionary attacks, where an adversary attempts to determine a network password by trying possible passwords without further network interaction,” Robinson says.

WPA3-Personal leverages Simultaneous Authentication of Equals (SAE), a secure key establishment protocol between devices, to provide stronger protection for users against password guessing attempts by third parties. “WPA-Personal’s best feature is that it provides forward secrecy. Data traffic is still protected even if a password is compromised later,” Solis says.

4. WPA3 has a mode for organizations

WPA3 also has a distinct mode of operation for organizations, called WPA3-Enterprise. This mode offers an option that uses 192-bit minimum-strength security protocols and cryptographic tools, aligned with the Commercial National Security Algorithm (CNSA), Robinson says. This provides better protection for sensitive data, he says.

The 192-bit security mode ensures the right combination of cryptographic tools are used and sets a consistent baseline of security within a WPA3 network. “WPA3-Enterprise builds upon WPA2 and ensures the consistent application of security protocols across the network for governments, financial institutions, and the enterprise,” Robinson says. WPA3-Enterprise’s best feature is that it supports 192-bit cryptographic strength, which is important to the government and finance sectors, Solis adds.

5. WPA3-certified devices will have the latest security protocols

With WPA3 now mandatory, organizations and consumers alike can expect their devices to have the latest security protocols, Robinson says. “For example, users of WPA3-Personal receive increased protections from password guessing attempts, while WPA3-Enterprise users can take advantage of higher-grade security protocols for sensitive data networks.”

6. Rules against password reuse particularly important with WPA3 devices

One point that might not be well understood about WPA3 is that it forces all of a user’s devices to save and encrypt their passwords as is, both on the client side and on the access point side, says Eyal Ronen, a faculty member at Tel Aviv University’s School of Computer Science who researches cybersecurity and applied cryptography. “This is in contrast to the normal way we save passwords on servers. (We only save a salted hash output of the password). This makes it extremely important not to reuse the Wi-Fi password with any other use case,” he says.

7. WPA fixes shortcomings in WEP

The Wi-Fi Alliance defined WPA in response to weaknesses researchers had found in the previous system, called Wired Equivalent Privacy (WEP). “This used the same encryption key for each packet, which allowed automated software to crack it very quickly,” Solis says. “A lot of people still have a bad perception of Wi-Fi security because of open Wi-Fi access points with no security, and the media reports about WEP being cracked.”

8. WPA3 development is ongoing

Wi-Fi Alliance continues to evolve WPA3 to meet security needs, Robinson says. Following the introduction in 2018, enhancements were made in December 2019 and continued WPA3 development is underway.

Copyright © 2020 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.