New Wi-Fi security standards don’t come along very often but industry body the Wi-Fi Alliance has just formally launched one, Wi-Fi Protected Access 3, or WPA3.
Compared to today’s WPA2, it’s a big step up in terms of security features although, like WPA2, WPA3 will also come in Personal and Enterprise versions.
We’ll skip WPA3-Enterprise (the central feature of which is an optional 192-bit key mode required to secure high-end networks such as governments and hospitals) and move straight into WPA-Personal, the bit of this upgrade every Wi-Fi user will start to encounter from late 2019 onwards.
How will it make Wi-Fi security better?
More or less as we described in January when news first broke that WPA3 was in the offing – it’s about fixing WPA2’s glaring weaknesses, the biggest of which is the security of Wi-Fi passwords.
When it came along in around 2004, WPA2 Personal (aka WPA2 Pre-Shared Key) looked secure, and included a requirement that users choose passwords with a minimum length of eight characters.
But over time it became apparent that the setup by which a device connects to a WPA2 Personal network – called the four-way handshake – could be captured by an attacker using a software tool.
This data could be taken offline and subjected to a dictionary attack where lots of passwords are tried until the right one is found.
How easy this would be would still depend on the length and predictability of the password, a small consolation given the tendency of many users to choose the name of their pet or street.
WPA3 replaces the Pre-Shared Key with the “Dragonfly” Simultaneous Authentication of Equals (SAE) algorithm, which blocks offline password attempts after a single incorrect attempt – attacks must be made on a live connection, one try at a time.
The protocol also uses a technique called forward secrecy, which means that even if a password is compromised, it can’t be used against other devices or older data intercepted on the same network.
Another flaw was how public networks in places such as airports or coffee shops use no encryption at all, which makes using them incredibly risky. WPA3’s answer is Wi-Fi Certified Enhanced Open, a protocol that uses Opportunistic Wireless Encryption (OWE) to set up a secure connection between the access point and the user using a unique key.
An excellent upgrade no doubt, but not one that will be able to stop criminals from setting up rogue public access points that people are tricked into connecting to.
Internet of Wi-Fi Things
Ever greater numbers of IoT devices are using Wi-Fi, which are not always easy for home users to set up. WPA3 bundles a new way of connecting these by scanning QR codes called Wi-Fi Easy Connect.
Home users will doubtless be asking themselves whether they will need to buy new products to gain access to all this new security.
The realistic answer is yes, bar a few business-class products that have committed to support WPA3 through software upgrades.
It seems unlikely that most other products – especially consumer ones – will be as lucky. Unless a vendor says otherwise, it’s sensible to assume new hardware will be needed – not only routers but the Wi-Fi interfaces inside devices.
Another snag might be what is mandatory for something to be marketed as “WPA3”. As far as we can tell, only the SAE authentication described above is a core part of certification.
It’s natural to assume that all the enhancements mentioned above will be standard on new WPA3 designs, but it will be worth checking that when products start to appear in the next two years.