WPA3
Wi-Fi Protected Access 3
The 2018 Wi-Fi security standard that addresses WPA2's key weaknesses — replacing the capturable four-way handshake with SAE (Simultaneous Authentication of Equals) to prevent offline dictionary attacks, adding per-session forward secrecy, mandating Protected Management Frames, and enabling encrypted open networks via OWE.
WPA3 was introduced by the Wi-Fi Alliance in 2018 and became mandatory for Wi-Fi 6 (802.11ax) certification. It has two variants: WPA3-Personal for home/small office use (replaces WPA2-PSK with SAE) and WPA3-Enterprise for corporate networks (adds optional 192-bit security suite using GCMP-256 and HMAC-SHA-384). The critical improvement in WPA3-Personal is SAE — the Dragonfly key exchange that makes offline password attacks computationally infeasible. WPA3 also mandates PMF (Protected Management Frames, 802.11w), which prevents deauthentication attacks used by tools like aireplay-ng to forcibly disconnect clients.
WPA2 vs WPA3 improvements
| Feature | WPA2 | WPA3 |
|---|---|---|
| Handshake | 4-way PSK (capturable) | SAE / Dragonfly (online-only) |
| Offline dictionary attack | Possible — GPU cracking | Prevented by SAE |
| Forward secrecy | No (same PMK per password) | Yes (unique keys per session) |
| Open network encryption | No (plaintext) | OWE (encrypted, no password) |
| Management frame protection | Optional (PMF) | Mandatory (PMF) |
| Enterprise cipher suite | AES-128-CCMP | AES-256-GCMP (optional 192-bit) |
| KRACK vulnerability | Patched (firmware) | Not applicable (SAE) |
WPA3 transition mode
Most routers with WPA3 support offer WPA2/WPA3 mixed mode: the same SSID accepts both WPA2-PSK and WPA3-SAE connections. WPA3-capable devices negotiate SAE and get forward secrecy and KRACK immunity; older WPA2-only devices use the four-way handshake as before. This avoids compatibility issues during device fleet transitions. Fully WPA3-only mode is appropriate when all connecting devices support WPA3 — typically new deployments or environments with a controlled set of modern devices. Check your router settings: look for "WPA3" or "WPA3-SAE" options, and "WPA2/WPA3" or "WPA3 Transition Mode" for mixed operation.
Frequently Asked Questions
What does SAE fix that WPA2 could not?
WPA2's four-way handshake can be captured and dictionary-attacked offline at billions of guesses per second. SAE (Dragonfly) is a zero-knowledge proof — nothing captured from the handshake can be used for offline cracking. Attacks must be online (one attempt per connection), making brute force impractical. SAE also adds per-session forward secrecy.
What is WPA3-OWE and why does it matter for open Wi-Fi?
OWE (Opportunistic Wireless Encryption) encrypts open networks without a password via unauthenticated Diffie-Hellman key exchange. Prevents passive sniffing on coffee shop / airport Wi-Fi with the same zero-friction user experience. Does not prevent evil twin attacks — use a VPN on untrusted networks for full protection.
Is WPA3 backwards compatible with WPA2 devices?
Not directly — WPA3-only mode locks out WPA2 devices. Use WPA2/WPA3 transition (mixed) mode: WPA3 clients negotiate SAE, WPA2 clients use the four-way handshake on the same SSID. Recommended for most homes and offices with mixed-age devices.