Wireless networking security is about to get a whole lot better now that the Wi-Fi Alliance has formally rolled out Wi-Fi CERTIFIED WPA3, a specification that adds support for both much-improved authentication and more robust encryption.
The WPA3 suite covers everything from making it simpler to implement complex passwords in a way an end user can easily remember to the encryption of network traffic as it moves between a mobile device and a wireless access point.
Specifically, users accessing public or open hotspots will be able to take advantage of Opportunistic Wireless Encryption (OWE), which automatically provides encryption without requiring an end user to necessarily authenticate their device. WPA3 also provides additional enhanced cryptography algorithms that are built into the framework. These advances are collectively designed to, for example, remediate Key Reinstallation Attack (KRACK) vulnerability that bypasses existing WPA2 network security protocols to steal data as it traverses unencrypted networks.
There are two classes of WPA certification. WPA3-Personal requires more resilient, password-based authentication even when users choose passwords that fall short of typical complexity recommendations. WPA3 makes use of Simultaneous Authentication of Equals (SAE), a secure key establishment protocol between devices, to provide stronger protections for users against password guessing attempts made by cybercriminals by allowing simple passwords to be augmented by a more complex password scheme embedded in a device or access point. WPA3-Enterprise, meanwhile, provides a 192-bit cryptographic scheme for encrypting data as it moves across a wireless network.
WPA2 continues to be mandatory for all Wi-Fi CERTIFIED devices. But as market adoption of devices that support the WPA3 specification grows, achieving WPA3 compliance will eventually be required to achieve certification from the Wi-Fi Alliance. WPA3 access points will be able to interoperate with WPA2 devices through what the Wi-Fi Alliance describes as a transitional mode of operation.
The Wi-Fi Alliance has also added a Wi-Fi CERTIFIED Easy Connect program that reduces the complexity of onboarding Wi-Fi devices with limited or no display interface, which is usually the case for devices being connected as part of an Internet of Things (IoT) initiative. Wi-Fi Easy Connect is designed to enable users to securely add any device to a Wi-Fi network using another device with a more robust interface, such as a smartphone, by scanning a product quick response (QR) code.'The replacement of each mobile computing device and wireless access point will soon represent actual, meaningful cybersecurity progress.' ~@mvizardClick To Tweet
Mobile devices and access points that support the WPA3 specification should start to become generally available later this year. Obviously, cybersecurity professionals have a vested interest in making sure that WPA3 compliance is required for all devices acquired by the purchasing department of the organizations that employ them. At the very least, wireless devices should support the latest version of the WPA2 specification as well as require if possible compliance with a Wi-Fi CERTIFIED Enhanced Open certification that protects data on open networks found, for example, in hotels and coffee shops. With most employees taking vacations this summer the probability that many of them will be trying to remotely access corporate data over an open network exponentially increases.
Obviously, there’s a still a long way to go in terms of improving wireless networking security. The good news is that going forward the replacement of each mobile computing device and wireless access point will soon represent actual meaningful cybersecurity progress.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.