How will the new WPA3 protocol strengthen password security?

The new Wi-Fi protocol, WPA3, is intended to strengthen password security and better protect IoT devices. What exactly is included in the new protocol, and how is it different from WPA2?

As IoT continues to transform how homes and businesses operate, forecasters estimate over 30 billion objects will connect to the internet by 2020. However, any communication channels IoT uses must be secure, as many of these devices run critical infrastructure components and share sensitive business or personal information.

The most common protocol used to connect IoT devices via Wi-Fi is WPA2 -- also known as Wi-Fi Protected Access II -- as it defines how a router and Wi-Fi client devices perform the "handshake" network connection process to negotiate the encryption used to secure the connection. This connection process was developed by the Wi-Fi Alliance to replace the Wired Equivalent Privacy protocol, which contained serious weaknesses. Although WPA2 provides security for billions of Wi-Fi devices, it is now over 14 years old.

To secure the next generation of Wi-Fi-enabled devices and personal and enterprise Wi-Fi networks, the Wi-Fi Alliance introduced WPA3, which improves configuration, authentication and encryption. A 192-bit security suite -- aligned with the Commercial National Security Algorithm Suite from the Committee on National Security Systems and a part of the National Security Agency -- will provide stronger encryption for critical Wi-Fi networks. However, the new individualized data encryption feature is what will dramatically improve the overall security of public Wi-Fi hotspots.

The Wi-Fi networks found in public locations, such as airports, hotels and coffee shops, are open and allow traffic to be sent over them that isn't routinely encrypted -- users can see the websites others are visiting, even if the sites implement HTTPS. WPA3 fixes this by automatically encrypting all traffic between a device and the Wi-Fi access point by using a unique key, without the need for any prior setup by the user. Although this opportunistic encryption doesn't provide the same level of security and assurance as authenticated encryption, it's better than no encryption, and it delivers a huge boost to everyday internet security.

WPA3 fixes this by automatically encrypting all traffic between a device and the Wi-Fi access point by using a unique key, without the need for any prior setup by the user.

WPA3 also introduces a more robust handshake when a device connects to another Wi-Fi device, which helps protect devices that don't have a strong password by preventing brute-force and dictionary password attacks. WPA2 devices that haven't been patched are vulnerable to the WPA2 KRACK vulnerability, as it takes advantage of the four-way handshake implemented in WPA2 to produce a man-in-the-middle exploit.

Mathy Vanhoef, who discovered the flaw in 2017, believes the new handshake protocol is likely to be Simultaneous Authentication of Equals, or Dragonfly. This is a password-authenticated key exchange based on a zero-knowledge proof and, by default, uses elliptic curve cryptography with order of 256-bit prime number. The reason this protocol protects weak passwords is an attacker is unable to make more than one guess at the password per attack.

Finally, WPA3 will make it easier to configure Wi-Fi devices that have no keyboard or screen, such as the Amazon Echo, but there are no details as to how this will work or how secure it is. The Wi-Fi Alliance will continue improving WPA2, as many existing Wi-Fi devices have a long working life. Users should look for the "Wi-Fi CERTIFIED WPA2" or "Wi-Fi CERTIFIED WPA3" seal of approval from the Wi-Fi Alliance on any Wi-Fi products they buy, as this ensures the required security features have been fully implemented.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)