Quick Links

Key Takeaways

WPA3 is a wireless network security algorithm that replaces WPA2. It was introduced in 2018, and all Wi-Fi devices certified after July 2020 are required to support it. WPA3 is more secure than WPA2.

WPA3 was introduced in 2018, but there's still a bit of confusion surrounding what it is, what improvements it offers, and how to get it. Here's what you need to know about WPA3 and how to use it with your home Wi-Fi network.

WEP, WPA, and the Road to WPA3

Since the introduction of Wi-Fi in the late 1990s, Wi-Fi has always had some form of security algorithm to provide for user authentication and communication encryption.

The original Wi-Fi security algorithm was Wired Equivalent Privacy (WEP), introduced in 1997 as part of the first generation of Wi-Fi. As the name implies, it was intended to provide a level of privacy equivalent to that a user would experience on a wired network connection.

From the outset, WEP wasn't a particularly strong encryption protocol, and early Wi-Fi routers and access points were vulnerable to exploitation. WEP was superseded by Wi-Fi Protected Access (WPA) in 2003. And while WPA was a significant improvement over WEP, it too proved to be vulnerable to attack, especially when users set their Wi-Fi routers to use WPA (TKIP).

TKIP, or Temporal Key Integrity Protocol, was vastly better than the encryption used in WEP but was quickly shown to have vulnerabilities. WEP and WPA (and all its variants) have now been deprecated and should no longer be used.

In 2004, the Wi-Fi Alliance rolled out Wi-Fi Protected Access II (WPA2) which included enhancements to WPA, most notably an upgrade from TKIP to the much more robust AES (Advanced Encryption Standard). From September 2004 to June 2020, all devices bearing the official Wi-Fi certification trademark had to comply with WPA2 standards.

In 2018, the Wi-Fi alliance announced Wi-Fi Protected Access III (WPA3). Compliance with WPA3 standards wasn't mandatory until July 2020---at which point all new devices seeking Wi-Fi certification had to comply with the mandatory elements of the WPA3 standard.

How Does WPA3 Differ From WPA2?

At this point, several years after the initial announcement of WPA3 in 2018, you've likely come across the name. And depending on how new your Wi-Fi router and devices are, you may have even found it in the settings menus. So what's the real difference, and why would you consider using WPA3?

Core WPA3 Security Enhancements

First, let's look at some of the core security enhancements. There are many small enhancements to WPA introduced in the transition between WPA2 and WPA3, but in service of not turning this article into a hundred-page technical document, we'll stick to highlighting the high-profile enhancements.

Also note, we call these "core" because not every improvement proposed and included in the broader WPA2-to-WPA3 upgrade is mandatory. The following improvements are, however.

Enforced Protected Management Frames (PMF)

Many of the improvements you see in various generations of Wi-Fi security are not brand new things but merely the newest security standard enforcing the use of prior security measures.

You may have read about how WPA3 is more secure. One of the reasons it is more secure is that WPA3 certification requires the use of Protected Management Frames (PMF). Network frames are pretty technical, but you may remember we briefly touched on them in our discussion of how long a Wi-Fi network name can be.

In wireless networking, a management frame is type of transmission used to send authentication, deauthentication, probe requests and responses, and other administrative behind-the-scenes communication between the Wi-Fi router and the client devices connected to it. These tiny transmissions help your devices securely connect to your Wi-Fi network and, as you can imagine, are quite crucial and sensitive.

Without Protected Management Frames enabled, all that management frame data is sent in the open which, from a security standpoint, is problematic. With PMF enabled, the management frames are encrypted.

The PMF system was first introduced in 2009, but only with the release of the WPA3 and updated certification requirements is it now required for all devices using WPA3, the term "enforced PMF." That might all seem a bit technical, but you should rest easier knowing that enforced PMF ensures that your connection is protected from common exploits.

This includes disconnect attacks (which spoof network data and force clients to disconnect, potentially as a springboard for other attacks), as well as honey pot and "evil twin" attacks (which steer the client device away from the real Wi-Fi access point, again opening it up for other attacks.) You can read more about Protected Management Frames in this Wi-Fi Alliance document.

Protection Against Brute Force Attacks

WPA3 includes numerous enhancements to protect against brute force and offline attacks. The most noteworthy change (and certainly the most sweeping) is the shift away from the Pre-Shared Key (PSK) model to the Simultaneous Authentication of Equals (SAE) model.

The PSK system has been plagued with vulnerabilities since its inception. PSK systems are vulnerable to brute force attacks with freely available tools and, especially troubling, offline attacks where the attacker can collect data from your network communications and then work on cracking it at their leisure. The core encryption used by WPA2 (AES) isn't the problem; the four-way key handshake used by WPA2 is the problem.

The SAE system changes the way the handshake between the Wi-Fi access point and the device functions, preventing exploits like Key Installation Attacks (KRACK) and offline brute force decryption of collected Wi-Fi data.

In 2019, a group of five proof-of-concept exploits were released for the new SAE system collectively called Dragonsblood (a nod to the Dragonfly Key Exchange that SAE is based on). Fortunately, the exploits were easy to patch, and there were recorded instances of the exploit used in the wild. That's certainly a lot more than we can say for previous Wi-Fi exploits and their impact.

Advanced 192-Bit Enterprise Encryption

In addition to the security enhancements available to both WPA3 Personal and WPA3 Enterprise users, the WPA3 Enterprise users get an additional bonus.

Although it's not something you'll typically set up at home unless you're a power user that likes to use your home network as a home lab to play with advanced network tech, companies can now deploy Wi-Fi with advanced encryption. WPA3 Enterprise 192-Bit Mode offers the most advanced Wi-Fi encryption available.

Optional WPA3 Enhancements

Certain elements are required for WPA3 certification, like the aforementioned enforced PMF and support for SAE key exchange. The following two improvements are not currently part of the core WPA3 certification requirements but are independent Wi-Fi alliance certifications that can be layered on top of a product along with the core WPA3 certification.

Because both of these features were announced and heavily promoted at the same time as WPA3, they've become linked with the upgraded wireless security standard.

Wi-Fi Enhanced Open

If you remember a lot of chatter about secure open Wi-Fi hotspots back when WPA3 was announced in 2018, this is what you remember: Wi-Fi Enhanced Open, a new way of securing open Wi-Fi networks based on Opportunistic Wireless Encryption (OWE).

Wi-Fi Enhanced Open is a welcome improvement to the security of open Wi-Fi networks like the kind you find in airports, hotels, coffee shops, and other public locations. Because such locations have networks open for anyone to connect to, the network traffic isn't encrypted.

While the increased use of HTTPS and application encryption to secure web, social media, and other connections has made using the internet safer regardless of the security settings of the Wi-Fi network you're connected to, it's still less than ideal to have all your device traffic in the open air.

Wi-Fi Enhanced Open combined with WPA3 creates an encrypted connection between your device and the Wi-Fi access point from the moment you connect to the open network---regardless of the fact that you never authenticated on the network or supplied a password.

This is a light-year-level leap forward in open hotspot security and a welcome departure from the Wild West unencrypted experience older open Wi-Fi networks offer.

Wi-Fi Easy Connect

Wi-Fi Easy Connect is the Wi-Fi Alliance certification name for Device Provisioning Protocol (DPP). Wi-Fi Easy Connect is a secure method for connecting devices to your Wi-Fi network intended to supersede Wi-Fi Protected Setup (WPS). Given the security issues that plagued WPS, this is a welcome upgrade.

With Wi-Fi Easy Connect, you scan a QR code or NFC tag on your Wi-Fi router using a configuration app. Then you simply scan the QR codes or NFC tags on any Wi-Fi Easy Connect enabled devices. If you've used your iPhone to scan HomeKit devices into your smart home network, it's a very similar experience.

Wi-Fi Easy Connect replaces WPS and offers that same ease of scan-to-add use so that you can add devices without displays, keyboards, or even buttons to your network without a hassle. This is a significant improvement over the insecure WPS system and a lot faster than the hoop-jumping that goes along with putting a device in Wi-Fi pairing mode, connecting your phone to the device, putting your SSID and password in, and other overly complicated ways to add gear to your home network.

In addition to making it easier to add devices to your home network securely, Wi-Fi Easy Connect has a bonus feature. When you pair a device to your router using Easy Connect, the device's connection persists even through changes to your router's SSID and password. So if you have to make changes to your network, you don't have to go through your home and re-add your thermostat, smart bulbs, and other Wi-Fi Easy Connect compatible devices to the network again.

How Can I Get WPA3 on My Wi-Fi Router?

Everyone reading this guide is in one of three potential situations regarding a WPA3 upgrade on their home Wi-Fi network. Either they have a new router that supports WPA3, they have an older (but not too old) router that can get WPA3 with a firmware update, or they need to update their router entirely. Given that WPA3 is the best Wi-Fi encryption you can use on your home network, people are certainly right to be curious which camp they fall into and how they can get WPA3.

You Have a New WPA3 Certified Router

If your router was certified after 2018, there is a good chance it is WPA3 compatible. If it was certified after July 1, 2020, it must be WPA3 compatible.

In that case, you can simply log into your router and enable WPA3 in the network settings. If you find that older Wi-Fi devices drop off your network after you enable WPA3, you may want to switch to WPA2/WPA3 Transitional mode to allow older devices to use WPA2 to connect.

You Have a Firmware Upgrade Eligible Router

Unlike some home network and smart home upgrades where the improvement requires new hardware (such as a device with a special security chip or a new radio type), WPA3 is a software-based upgrade over WPA2.

If your Wi-Fi router has robust enough hardware to support the demands of WPA3 (such as Protected Management Frames) and the manufacturer releases updated firmware, you're in business. The entire line of Eero mesh routers going all the way back to the first generation have received firmware updates for WPA3, for example.

So while there are plenty of good reasons to update your router (especially if it's that tired old router your ISP gave you), be sure to check for firmware updates before making the jump just to get WPA3 support.

You Have an Old Router

Most people hang onto their Wi-Fi routers for years, so there is a good chance that even in early 2023, quite a few people reading this article have routers old enough that they don't support WPA3 (and can't/won't receive a firmware update to support it).

If you find yourself in that situation, it's probably time to upgrade. And not just because getting access to WPA3 is an excellent step forward in Wi-Fi security. Router technology advances steadily over time, and if your router doesn't support WPA3, it was likely designed and certified 3-5+ years ago.

Even if you're not super intent on getting WPA3, it's probably time to upgrade your router anyway to enjoy better hardware, better coverage, and access to more advanced features (WPA3 included).

Frequently Asked Questions About WPA3

WPA3 might have been announced in 2018, but that doesn't mean people still have many questions about it. Here are some common questions we get about WPA3 Wi-Fi routers and devices.

Can Old Routers Be Upgraded to WPA3?

In theory, yes. Whether or not a Wi-Fi router or other device gets a firmware upgrade that enables WPA3 is depending on the hardware in that device, the manufacturer, and whether or not the manufacturer intends to jump through the necessary hoops and release updated firmware for old hardware.

It's safe to say that if your particular router hasn't received a firmware update to support WPA3 by this point, it's unlikely to receive one in the future.

Can I Use WPA3 With Older Devices?

Both the Wi-Fi access point and the attached device need to support WPA3 for you to use WPA3 with an older device. If you have a WPA3-capable Wi-Fi router but still have WPA2-only devices on your home network, you need to enable WPA2/WPA3 transitional mode or replace the WPA2-only devices with updated devices that support WPA3.

One workaround for this problem is to use a new Wi-Fi extender or mesh node that supports WPA3 and has Ethernet bridge ports. You can then plug any Ethernet-capable device and the network connection will be handled by the WPA3-capable extender or node. You might not be able to update your old console or computer to WPA3 directly, but this hack bridges your device to the network using WPA3.

Will Devices Purchased Today Have Guaranteed WPA3 Support?

No, devices purchased today do not have guaranteed WPA3 support. This might seem confusing, given that WPA3 was announced in 2018 and WPA3 became mandatory in July 2020, but an important distinction must be made.

The mandatory requirements are based on when a given device was certified by the Wi-Fi Alliance, not when it was manufactured.

For example, as of early 2023, you can still buy the best-selling Netgear Nighthawk 5700. But the 5700 was certified over a decade ago. It doesn't need to meet the current Wi-Fi Alliance certification standards when it is manufactured or sold. It only needs to meet the Wi-Fi Alliance certification requirements from when it was originally certified in 2013.

To avoid this problem, it's best to confirm any older device you're considering purchasing has WPA3 support or to simply buy products that were certified and brought to market after July 2020.

Is There Any Risk to Trying Out WPA3?

No, there is zero risk in trying out WPA3. In the best-case scenario, everything in your home is new enough to support WPA3, and you notice zero difference between WPA2 and WPA3 (but benefit from the increased security and optimizations).

Worst case scenario, you notice a bunch of Wi-Fi devices drop off your network and no longer connect properly. At that point, you can either switch to WPA2/WPA3 transitional mode or back to WPA2 mode, and all those devices will automatically reconnect to your Wi-Fi router.

There's no risk in playing around with the settings, as everything will go back to how it was when you revert the settings.

Is My Home Network Vulnerable If I Don't Upgrade to WPA3?

When you talk about security and risk, the answer is never a binary yes or no, but a study in degrees and risk acceptance/avoidance.

WPA3 includes many welcome security improvements over WPA2 and, eventually, everyone will be using WPA3 (and we'll be talking about WPA2 the same way we talk about old deprecated standards like WEP and WPA). So if you can switch over to WPA3 with minimal headache and without replacing all the devices in your home to support it, by all means do so.

But if you have a lot of older devices you don't want to replace yet, you can use WPA2/WPA3 transitional mode for as long as you need to or even continue to use WPA2 (AES) mode with an older router. Just be sure to use these router security best practices to keep your router as secure as possible.

Do I Need WPA3 Enterprise Mode?

Home users don't need WPA3 Enterprise Mode. Not only do many residential-grade routers not support it, but it requires additional infrastructure to deploy (in addition to the Wi-Fi hardware you also need an authentication server to handle device authentication and key management).

There is no practical reason for a home user to fuss with Enterprise Mode. The general security improvements that come with upgrading from WPA2 Personal WPA3 Personal are substantial, and the additional boost that Enterprise level encryption offers isn't worth the hassle for a home setup.