WPA3: The Cutting-Edge of WiFi Security

To be effective, WiFi security needs to keep up with rapidly evolving cyber threats, which is where the WPA3 standard comes in to make private and public networks alike more resilient.
top choice
  • NetSpot
  • Wi-Fi Site Surveys, Analysis, Troubleshooting
  • 4.8
  • 969 User reviews
To prepare for this new level of protection, homes, and businesses should analyze their network’s coverage with tools like NetSpot to offer maximum coverage when installing new routers and WiFi extenders.

What is WPA3

Every generation of computer technology spawns both new promise and new problems. When the first universities allowed users to connect to powerful mainframes, unruly students found ways of accessing other student’s information to play pranks on each other, requiring the creation of password protection and access rights.

Today, computers and wireless networks occupy every aspect of life, from schools, hospitals, businesses, libraries — even coffee shops and buses offer WiFi access. But with all this access, there is the need for WiFi network security. A person connecting via their laptop could be transmitting the passwords to their bank account over the air for a hacker to pick up.

The biggest problem with allowing access to a local WiFi network isn’t just WiFi encryption, but how to register devices onto the WiFi network. If there’s a shared password, then anyone who shares that with another person or writes it down runs the risk of unauthorized users getting access to the network.

For those old enough, remember that scene from the movie “Wargames” where Matthew Broderick’s character would purposely get detention so he could find the network’s password written down in a secretary’s desk? Hackers use the same technique when someone writes down the WiFi password on a Post-It on their desk to get access into the network and start capturing packets.

WPA3 security is designed to help prevent that. Rather than relying on shared passwords, WPA3 signs up new devices through processes that don’t require the use of a shared password.

WPA3

This new system, called Wi-Fi Device Provisioning Protocol (DPP), works by transmitting how to gain access to the system without transmitting a password into the air. With DPP, users use QR codes or NFC tags to let devices onto the network. By snapping a picture or receiving a radio signal from the router, a device can be authenticated to the network without sacrificing security.

WPA3 encryption is geared to be better than previous iterations

WPA3 encryption is geared to be better than previous iterations of WiFi technology. First, like the move of browsers Google Chrome and Firefox to warn or outright block users from connecting to insecure web servers, WPA3 security discards older encryption mechanisms in favor of ones that have not been broken.

Granted, nothing lasts forever in the world of security, but WPA3 Encryption is covered by 256-bit Galois/Counter Mode Protocol (GCMP-256) so that makes breaking through the encryption harder.

How big is a number like 256-bit? Previous encryption algorithms worked with 128-bit encryption. In Math terms, that’s 3.048 x 10^38 - that’s 3 followed by 38 zeros after it - that’s how many calculations a computer would have to make to even guess at what the encryption key is. 256-bit encryption? That’s 1.15 x 10^77 — 1 with 77 zeroes following after it.

There is a fewer number of atoms in the known universe compared to that number. There are fewer episodes of Judge Judy than that number. Fewer times that someone has asked, “Explain the plot of the movie Inception.”

It’s a big number.

When transferring encryption keys between the router and devices, WPA3 WiFi Security uses 384-bit Hashed Message Authentication Mode so both the device and the router confirm that they can connect, but in a way where even if someone picks up the communication between them they can’t figure out what they original encryption key is.

It’s like the Navajo code talkers back in World War II who used codes while speaking a language no one else in the world understood. Even if a third party could pick up the radio signals, it wouldn’t make any sense to them. Even if they also happened to speak Navajo, they’d have to know the additional code structure underneath that to understand what the message actually meant.

This is how WPA3 keeps communications safe — with better encryption, better ways of setting up that encryption, and methods that keep people connecting to the network from knowing the passwords that have them on the network.

Main Forms of WPA3

To address the needs of different categories of WiFi users, WPA3 comes in several main forms. Understanding the differences between them can help you take full advantage of its security features.

WPA3 Personal

Home users are expected to use the WPA3 Personal form, which relies on passphrase-based authentication. This form offers a familiar user experience but a vastly superior level of protection against brute force cracking thanks to Simultaneous Authentication of Equals (SAE).

WPA3 SAE replaces the Pre-Shared Key (PSK) authentication method used in previous versions of WPA to generate a key that’s completely unique to each authentication.

As a result, attackers lose the ability to perform off-size attacks on captured data packets to overcome the defenses of the target network. What’s more, members of the same network can’t snoop on the traffic of other members.

WPA3 Enterprise

The WPA3 Enterprise form extends the solid foundation provided by WPA2 Enterprise by making it mandatory to use Protected Management Frames (PMF) on all connections. This security feature protects against such dangerous attacks as honeypots and eavesdropping.

To better protect the most sensitive data, WPA3 Enterprise can optionally operate in a special 192-bit mode. This mode isn’t necessary to achieve a satisfactory level of security, but all enterprises are encouraged to take advantage of it to enjoy the best protection available.

WiFi Enhanced Open

Unencrypted public WiFi networks represent a huge threat, and many WiFi users are not even aware of how dangerous they can be. WiFi Enhanced Open addresses this problem by providing unauthenticated data encryption based on Opportunistic Wireless Encryption (OWE).

Unauthenticated data encryption preserves the convenience of public WiFi networks because no passphrases are involved, so there’s really no reason not to enable it.

Check your Encryption using NetSpot

Powerful advanced tool for multiple Wi-Fi networks Surveys, Analysis and Troubleshooting.

How does it differ from WPA2?

As mentioned above, WPA3 handles WiFi security differently. Most people connect via a WPA2 network either by sharing passwords (bad) or via WPS. WPS is convenient. Tap a button on the router at the same time as the device to connect to the device to the router, and we’re on.

The problem is WPS sends a 23-bit pin as part of the signup process. 23 bits is nothing compared to the 384-bit hashes that WPA3 uses to connect devices to routers. A clever hacker can sit there and within 9 million tries — a mere minute in computer terms — gain access to the router. Just sit, wait for the WPS signal to go out and the hacker could be in.

Then there’s the level of encryption for open networks. Going into a coffee shop or connecting a phone into the mall lets that device onto an open network. It makes sense. The inconvenience in connecting to a WiFi network with even a shared password is usually too much for a store’s customers to stand for.

The problem is that on an open wifi network, a clever hacker can listen in between the devices and try to decrypt the communications between bank websites or cashier machines. Then we’re back to unauthorized people listening in to bank passwords and credit card numbers.

WPA3 security also triumphs over WPA2 systems when it comes to open networks with an enhanced protection system. WPA3 routers use Wi‑Fi CERTIFIED Enhanced Open, meaning that even when the devices connect to the WiFi router on an open network, there is strong encryption between the device and the router.

So even if a hacker is listening in, first they have to break through the WiFi encryption, then break a totally different set between the web browser and the bank, or the specific teller machine and the financial systems they’re talking to. Nothing is absolutely secure, but making unauthorized users work twice as hard to get the information they shouldn’t have, it makes people safer all around.

WPA3 Personal vs WPA3 Enterprise

When deciding between WPA3 Personal and WPA3 Enterprise, the target environment is the most important factor. While regular home users can theoretically benefit from the superior protection provided by WPA3 Enterprise and its 192-bit mode, the increased setup difficulty outweighs the benefits.

WPA2 WPA3
Full name WiFi Protected Access 2 WiFi Protected Access 3
Release date 2004 2018
Encryption method AES-CCMP AES-CCMP / AES-GCMP
Session key size 128 bits 128 bits / 256 bits
Session authentication method Pre-Shared Key (PSK) Simultaneous Authentication of Equals (SAE)
Brute force attacks Vulnerable Not vulnerable

WPA3 Device Support

Even at the time of writing this article, not all WiFi routers available on the market support WPA3. Fortunately, it’s easy to tell which do support the standard because all 802.11ax WiFi systems are required to ship with WPA3 Personal and WPA3 Enterprise support.

In other words, all WiFi 6 routers are also WPA3 routers, and the same goes for other WPA3 devices — if they’re WiFi 6-certified, then WPA3 security will be enabled. Here are our top 3 picks for the best WPA3 routers.

  1. TP-Link Archer AX21
  2. Netgear Orbi (tri-band, AX6000)
  3. Asus RT-AX86U

choice #1
  • Not Enough Ratings

The TP-Link Archer AX21 is one of the best routers with WPA3 that don’t cost an arm and a leg. The router is equipped with dual-band WiFi 6 connectivity for fast speeds of up to 1.8 Gbps and great coverage even in areas with lots of interference.

TP-Link Archer AX21

The rear side of the router is home to 4 Gigabit LAN ports and a single USB port that allows for easy file sharing. You can effortlessly set up the router using the TP-Link Tether app, which can also be used to include it in a whole-home mesh WiFi network.

Pros and Cons

  • Affordable
  • Great performance
  • Superb value
  • Lacks advanced features

choice #2
  • Not Enough Ratings

If you’re looking for the most powerful WPA3-certified routers currently available, then you should consider the tri-band version of the popular Netgear Orbi mesh Wi-Fi system. Capable of reaching speeds of up to 6 Gbps and covering up to 5,000 sq. ft. with a strong signal, the router is powerful enough to connect dozens of WPA3-supported devices to the internet.

Netgear Orbi (tri-band, AX6000)

Being a mesh WiFi system, the Netgear Orbi can be easily extended with additional satellite units to cover an even larger area with a seamless network. Of course, a router of this caliber isn’t cheap, but it’s well-worth the price if you live in a large house.

Pros and Cons

  • Leading performance
  • Simple setup
  • Supports three WiFi bands
  • Expensive

choice #3
  • Not Enough Ratings

Designed to meet the needs of serious gamers, the Asus RT-AX86U is as powerful as it is bulky. This WiFi 6 router is compatible with all WPA3 devices, and it can deliver true 2 Gbps wired and wireless speeds by aggregating multiple connections.

Asus RT-AX86U

All owners of the Asus RT-AX86U get to enjoy the ASUS AiProtection Pro home network security suite for superior protection against online threats. The suite even includes advanced parental controls to help parents control how much time their kids spend online.

Pros and Cons

  • Advanced features and customization options
  • Lifetime security software
  • Impressive performance
  • Bulky design

How to configure a router to use WPA3

It’s usually easy to configure a router to WPA3 protection, and the steps you need to follow tend to go something like this:

  1. Log in to your router’s admin interface. Most routers can be accessed by entering a specific IP address into the URL bar of your web browser, but some are administered exclusively via companion smartphone apps.
Log in to your router’s admin interface
  1. Go to the Settings section and look for Wireless settings. Depending on which WPA3 router you have, it might be necessary to enable WPA3 protection for the 2.4 GHz and 5 GHz band separately.
Go to the Settings section and look for Wireless settings
  1. Find the wireless security option and set it to WPA3-Personal if you’re a regular home user. Business users should use WPA3-Enterprise instead. Save the settings and wait for your router to restart.
Find the wireless security option

After setting up a new WPA3 router, you should use a wireless network analyzer like NetSpot to verify your security settings and create a detailed coverage map to see all areas of signal weakness.

NetSpot

You can then use the gathered information to optimize the configuration and placement of your router to achieve the best performance possible.

Summary

The WPA3 security standard was released in 2018 to address the latest cybersecurity threats, and it’s already supported by all WiFi 6-certified routers. Anyone who can should take advantage of it to improve their cybersecurity posture because it can be the difference between a cybersecurity incident and business as usual.

Check your Encryption using NetSpot

Powerful advanced tool for multiple Wi-Fi networks Surveys, Analysis and Troubleshooting.

FAQ

What is WPA2 and WPA3?

Both WPA2 (Wi-Fi Protected Access 2) and WPA3 (Wi-Fi Protected Access 3) are security certification programs developed by the Wi-Fi Alliance. WPA3 is the successor to WPA2, and it offers a number of improvements to address its predecessor’s shortcomings.

Should I use WPA3 or WPA2?

WPA3 is considerably more secure than WPA2, so you should use it whenever possible.

What does WPA3 Personal mean?

WPA3 Personal is one of several forms of WPA3, intended for home users rather than enterprises.

Is WPA3 better than WPA2?

Yes, WPA3 is more secure than WPA2 because it uses Simultaneous Authentication of Equals (SAE) instead of Pre-Shared Key (PSK), among other things.

Do all WiFi devices support WPA3?

No, not all WiFi devices support WPA3. Only devices that are WiFi 6-certified are guaranteed to support the standard.

What routers use WPA3?

WiFi 6 routers use WPA3 to secure communication with WPA3-compatible devices, and they’re also backwards compatible with devices that support only WPA2.

Have more questions?
Submit a request or write a couple words.

Read next in All about Wi-Fi

If you want to dive deeper into this Wi-Fi thing, check out the following articles about Wi-Fi security, the best apps for wireless networking, inflight WiFi, etc.
Get NetSpot for Free
Wi-Fi Site Surveys, Analysis, Troubleshooting runs on a MacBook (macOS 10.10+) or any laptop (Windows 7/8/10/11) with a standard 802.11a/b/g/n/ac/ax wireless network adapter.