What Is WPA3 Wi-Fi? 2021


Short for Wi-Fi Protected Access 3, WPA3 is the newest generation of Wi-Fi security. Announced by Wi-Fi Alliance in 2018, it's an improvement on WPA2 that was built to secure open networks, protect simple passwords, and simplify device configuration.

What About WPA2 Wi-Fi?

Don't worry, WPA2 isn't going away anytime soon; Wi-Fi Alliance will continue addressing its shortcomings and WPA3 access points will remain backwards compatible with WPA2 for the time being.

You can get a feel for how long it's been since a new version of WPA has been released when you realize that the first version became available in 2003, and WPA2 just a year after. This puts the release of WPA3 at over a decade later. See WPA2 vs WPA for the changes between those releases.

WPA3 vs. WPA2

There are a handful of security updates to WPA3 including safer public Wi-Fi, weak password protection, and easier setup.

Safer Public Wi-Fi

Using public Wi-Fi is usually only recommended as a last resort or if you're not planning on sending or receiving sensitive information like passwords and private messages. This is because you're not sure who else is snooping on the network and because most free Wi-Fi is unencrypted.

WPA3 provides two ways to improve your security in these situations: forward secrecy and encryption. 

Why is forward secrecy so helpful? In short, it means that an attacker can't collect a bunch of data and hack it later. With older versions of WPA, someone could gather up some data from the network and then take it home to sift through it after she applies the password to it, thus gaining access to all of that information and any future data she captures. WPA3 isolates each session so that this “lazy” way of hacking is rendered useless, plus she'd need to be on the network to guess every password.

Lack of encryption is a huge problem with open networks, but now it's available with WPA3. There's already encryption with WPA2 networks, but not when there isn't a password used, like with open networks. This should have been tackled years ago for obvious reasons, but better late than never.

Based on Opportunistic Wireless Encryption (OWE), it works through Wi-Fi Enhanced Open to provide each device with their own individualized encryption to protect their data even when the network doesn't require a password.

Protection Against Weak Passwords

Speaking of better security for open networks, WPA3 has the added benefit of making even weak passwords as secure as strong ones. It uses Simultaneous Authentication of Equals (SAE) which, according to IEEE, is resistant to passive attack, active attack, and dictionary attack.

What this boils down to is that it makes it harder for hackers to crack your password even if it isn't considered a strong password.

Easier Setup

Connecting devices to a Wi-Fi network is sometimes a tedious process. WPA3 features a simpler pairing mechanism called Wi-Fi Easy Connect that uses QR codes for quicker setup.

For example, you might love all the Internet of Things (IoT) devices that fill your home but something you probably look over, but deal with because you have to, is setting them up. It's usually a whole process that requires using your phone to connect to the device directly so that you can then get it hooked up to the rest of the network. Scanning a QR code makes this much faster.

Adding new guest devices on an open network that doesn't require a password, is another way Wi-Fi Easy Connect comes into play. It works by having one device operate as what's called a configurator, and other devices enrollees. Use one device to scan the other, and it's immediately provided the correct credentials without ever needing a password.

WPA3 Security Issues

Like any piece of technology, there will come a time when, through testing, vulnerabilities are found. While there are core features that make WPA3 better than older standards, that doesn't mean it's free from problems.

In 2019, a flaw dubbed the dragonblood attack makes it possible for hackers to crack the Wi-Fi passphrase through brute-force and denial-of-service attacks. The good news is that it appears to be a problem only when HTTPS isn't being used, which should be rare.