WPA3 offers better security - but not today

News by Mark Mayne

Long-mooted Wi-Fi standard is finally certified, including enhanced authentication and encryption measures, but experts fear adoption rates could be slow.

Long-mooted Wi-Fi standard is finally certified, including enhanced authentication and encryption measures, but experts fear adoption rates could be slow.

A long-awaited boost to security for Wi-Fi users - both enterprise and consumer - has arrived as the Wi-Fi Alliance begins to certify wireless devices for WPA3.

The new WPA3 security standard features a range of improved and some entirely new security features, including beefed-up password-based security, and protection from dictionary-based brute force attacks (password submissions while offline are now limited), as well as ‘forward secrecy'. This is particularly important for enterprise networks, as under the current standard if a set of keys is compromised then previous messages can be read by the attacker. However, with ‘forward secrecy' only current and future data would be exposed. The protocol also now features Simultaneous Authentication of Equals (SAE), a secure key establishment protocol between devices, aimed at providing stronger protection to business and consumer users alike.

The WPA3 security standard comes in two forms, one WPA3-Personal, that includes the above improvements, and WPA3-Enterprise, which includes more powerful encryption with a new 192-bit security suite.

Daniel Moscovici, co-founder at Cy-oT told SC Media UK that improved WPA3 security may take a while to arrive in the real world: “This is a great initiative, but it will probably be years, if at all, until we see any impact since WPA2 is implemented in billions of devices already with no ability to update. Today, we at Cy-oT observe tens of millions of devices worldwide, and we see that on average 80 percent of the networks are WPA2, 5 percent are WPA/WEP and 15 percent are open (not encrypted) networks.”

Chris Schmidt, Senior Manager, Research at Synopsys' Software Integrity Group echoed the point: “Wi-Fi authentication has come a long way since the early days of wireless networking. Professionals have made it clear that they understand the need for things like strong authentication and authorisation controls for network clients, built-in reauthentication, and identity proofing through the design of the new WPA3 protocol. However, to put the problem simply, there are just too many wireless clients today that will require updates to support the new protocol, and a significant percentage of those devices may never be able to support the new standard. While the move to WPA3 is good and illustrates a secure design, it will be a while before the effects of the new, more secure wireless authentication protocol are truly felt.”

WPA3 supersedes the current best practice enterprise security, WPA2, which is now approaching a decade-and-a-half old, dating from 2004. The Wi-Fi Alliance has sensibly made WPA3 backwards compatible with WPA2, avoiding a confusing and potentially lengthy migration.

Ed Williams, Director EMEA, SpiderLabs at Trustwave said: “I'm surprised it has taken this long to get an update from WPA2 to WPA3. We know that technology moves quickly, yet, the world of Wi-Fi has remained pretty stagnant over the last decade, and if you're not moving forward, you're going backwards. I do welcome the changes and I hope that products and organisations are aggressive in adopting WPA3 and phasing out WPA2. The quicker we say ‘farewell' to this protocol the better - I wait to see with baited breath the adoption rates as it appears WPA3 improves security, which can only be a good thing.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews