July 16, 2018 By Grant Gross 3 min read

A new wireless protocol promises to improve Wi-Fi security significantly, but the changes won’t be immediate.

The Wi-Fi Alliance released the Wi-Fi Protected Access (WPA3) security protocol in June 2018, an update to the 14-year-old WPA2, in an effort to improve defenses in personal and enterprise networks.

But some experts expect the rollout of WPA3 to take years because the organization will need to certify routers to work with the new protocol.

Just How Long Will It Take to Roll Out WPA3?

When WPA2 became mandatory in March 2006, it took the agency about a year and a half to certify devices, according to Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.

“I expect adoption of WPA3 to take many months — even years,” Bilogorskiy said.

In some cases, current routers will be able to run WPA3 through software updates, meaning some organizations won’t need to buy new hardware. Bilogorskiy advised organizations and individual users to update their software as soon as possible and use a virtual private network (VPN) connection in addition to Wi-Fi in the meantime.

Consumer routers are less likely to accept the software update than enterprise routers. According to Sean Newman, director of product management at Corero Network Security, that means many old routers running WPA2 could continue to operate for years.

“The challenge is the long-tail of wireless devices which don’t support the new standard, which will likely propagate significant use of the current standard for three, four, five or even more years before organizations can even consider turning off access for that,” Newman explained.

Improving Wi-Fi Security for Individuals and Businesses

WPA3’s new features promise to help both individual users and enterprises improve Wi-Fi security. For example, WPA3-Personal uses the Simultaneous Authentication of Equals (SAE) protocol to establish secure keys between devices, which helps protect individual users regardless of the strength of their Wi-Fi password. WPA3 also implements forward secrecy, a privacy feature that limits exposure in the event that a threat actor guesses the password.

“If an attacker steals an encrypted Wi-Fi transmission and then guesses the password, they will only be able to see information currently running through the network, not any older data,” Bilogorskiy explained.

For businesses, WPA3-Enterprise enables 192-bit encryption, while older versions used a 64-bit or 128-bit key. In addition, the new protocol offers simplified, secure connections for devices without screens, including smart speakers and other Internet of Things (IoT) devices.

But WPA3 won’t solve all of the IoT’s security problems. According to Newman, the simplified connection scheme will not protect individuals or enterprises from threats originating from compromised IoT devices, such as distributed denial of service (DDoS) attacks.

“The security of the devices themselves will also need to be improved significantly, not just the security of their Wi-Fi connection,” Newman said.

What’s Holding Up WPA3 Adoption?

Despite the security benefits of WPA3, some experts believe there is little urgency to make the switch because WPA2 is still a fairly robust security protocol.

Ian Sherlock, Wi-Fi product manager at Texas Instruments, noted that while WPA3 reflects “an industry desire to be proactive in enhancing Wi-Fi security,” many wireless users will likely wait for the release of the 802.11ax physical layer standard to adopt WPA3. The 802.11ax standard is designed to alleviate congestion and deliver faster Wi-Fi speeds on public networks and other high-bandwidth users, and many new routers will integrate support for both this standard and WPA3.

“WPA3 is expected to be a prerequisite for products supporting 802.11ax, and so that will provide a seamless migration point,” he said.

Wi-Fi operators can take other steps to protect their networks, including investing in security solutions and regularly checking the technology infrastructure for misconfigurations.

“I don’t think anyone needs to be rushing out to buy WPA3-enabled routers just yet,” said Craig Young, computer security researcher at Tripwire. “Anyone looking to improve their wireless security would be better off spending the time to install firmware updates and review configurations.”

Why You Should Adopt WPA3 Sooner Rather Than Later

Bilgorskiy noted that car manufacturers and IoT device makers should be the first companies to move to WPA3, since attacks against these technologies could result in particularly serious consequences. Think of what might happen, for example, if threat actors managed to take control of connected medical devices. Government and defense organizations should also move quickly given the criticality of their systems, Newman said.

“It makes sense to upgrade as soon as possible to benefit from WPA3 improvements,” Newman said, “but, as its use also depends on the connecting devices supporting it, it will likely be months — or even years — before there is a significant enough proportion of those devices for the benefits to be realized.”

Still, organizations should consider adopting the standard sooner rather than later.

“As with all network security, the hackers are constantly innovating and enhancing their abilities to compromise or bypass existing protections,” Newman said. “Combine this with their access to ever-increasing processor power, and the likelihood of hackers being able to readily crack the encryption and other security measures of older standards increases correspondingly.”

More from

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Cybersecurity Awareness Month: 5 new AI skills cyber pros need

4 min read - The rapid integration of artificial intelligence (AI) across industries, including cybersecurity, has sparked a sense of urgency among professionals. As organizations increasingly adopt AI tools to bolster security defenses, cyber professionals now face a pivotal question: What new skills do I need to stay relevant?October is Cybersecurity Awareness Month, which makes it the perfect time to address this pressing issue. With AI transforming threat detection, prevention and response, what better moment to explore the essential skills professionals might require?Whether you're…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today