A new wireless protocol promises to improve Wi-Fi security significantly, but the changes won’t be immediate.

The Wi-Fi Alliance released the Wi-Fi Protected Access (WPA3) security protocol in June 2018, an update to the 14-year-old WPA2, in an effort to improve defenses in personal and enterprise networks.

But some experts expect the rollout of WPA3 to take years because the organization will need to certify routers to work with the new protocol.

Just How Long Will It Take to Roll Out WPA3?

When WPA2 became mandatory in March 2006, it took the agency about a year and a half to certify devices, according to Nick Bilogorskiy, cybersecurity strategist at Juniper Networks.

“I expect adoption of WPA3 to take many months — even years,” Bilogorskiy said.

In some cases, current routers will be able to run WPA3 through software updates, meaning some organizations won’t need to buy new hardware. Bilogorskiy advised organizations and individual users to update their software as soon as possible and use a virtual private network (VPN) connection in addition to Wi-Fi in the meantime.

Consumer routers are less likely to accept the software update than enterprise routers. According to Sean Newman, director of product management at Corero Network Security, that means many old routers running WPA2 could continue to operate for years.

“The challenge is the long-tail of wireless devices which don’t support the new standard, which will likely propagate significant use of the current standard for three, four, five or even more years before organizations can even consider turning off access for that,” Newman explained.

Improving Wi-Fi Security for Individuals and Businesses

WPA3’s new features promise to help both individual users and enterprises improve Wi-Fi security. For example, WPA3-Personal uses the Simultaneous Authentication of Equals (SAE) protocol to establish secure keys between devices, which helps protect individual users regardless of the strength of their Wi-Fi password. WPA3 also implements forward secrecy, a privacy feature that limits exposure in the event that a threat actor guesses the password.

“If an attacker steals an encrypted Wi-Fi transmission and then guesses the password, they will only be able to see information currently running through the network, not any older data,” Bilogorskiy explained.

For businesses, WPA3-Enterprise enables 192-bit encryption, while older versions used a 64-bit or 128-bit key. In addition, the new protocol offers simplified, secure connections for devices without screens, including smart speakers and other Internet of Things (IoT) devices.

But WPA3 won’t solve all of the IoT’s security problems. According to Newman, the simplified connection scheme will not protect individuals or enterprises from threats originating from compromised IoT devices, such as distributed denial of service (DDoS) attacks.

“The security of the devices themselves will also need to be improved significantly, not just the security of their Wi-Fi connection,” Newman said.

What’s Holding Up WPA3 Adoption?

Despite the security benefits of WPA3, some experts believe there is little urgency to make the switch because WPA2 is still a fairly robust security protocol.

Ian Sherlock, Wi-Fi product manager at Texas Instruments, noted that while WPA3 reflects “an industry desire to be proactive in enhancing Wi-Fi security,” many wireless users will likely wait for the release of the 802.11ax physical layer standard to adopt WPA3. The 802.11ax standard is designed to alleviate congestion and deliver faster Wi-Fi speeds on public networks and other high-bandwidth users, and many new routers will integrate support for both this standard and WPA3.

“WPA3 is expected to be a prerequisite for products supporting 802.11ax, and so that will provide a seamless migration point,” he said.

Wi-Fi operators can take other steps to protect their networks, including investing in security solutions and regularly checking the technology infrastructure for misconfigurations.

“I don’t think anyone needs to be rushing out to buy WPA3-enabled routers just yet,” said Craig Young, computer security researcher at Tripwire. “Anyone looking to improve their wireless security would be better off spending the time to install firmware updates and review configurations.”

Why You Should Adopt WPA3 Sooner Rather Than Later

Bilgorskiy noted that car manufacturers and IoT device makers should be the first companies to move to WPA3, since attacks against these technologies could result in particularly serious consequences. Think of what might happen, for example, if threat actors managed to take control of connected medical devices. Government and defense organizations should also move quickly given the criticality of their systems, Newman said.

“It makes sense to upgrade as soon as possible to benefit from WPA3 improvements,” Newman said, “but, as its use also depends on the connecting devices supporting it, it will likely be months — or even years — before there is a significant enough proportion of those devices for the benefits to be realized.”

Still, organizations should consider adopting the standard sooner rather than later.

“As with all network security, the hackers are constantly innovating and enhancing their abilities to compromise or bypass existing protections,” Newman said. “Combine this with their access to ever-increasing processor power, and the likelihood of hackers being able to readily crack the encryption and other security measures of older standards increases correspondingly.”

More from

$10.3 Billion in Cyber Crime Losses Shatters Previous Totals

4 min read - The introduction of the most recent FBI Internet Crime Report says, “At the FBI, we know ‘cyber risk is business risk’ and ‘cybersecurity is national security.’” And the numbers in the report back up this statement. The FBI report details more than 800,000 cyber crime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, shattering 2021's total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3).  Top Five Cyber Crime TypesIn the past five years, the…

4 min read

How to Boost Cybersecurity Through Better Communication

4 min read - Security would be easy without users. That statement is as absurd as it is true. It’s also true that business wouldn’t be possible without users. It’s time to look at the big picture when it comes to cybersecurity. In addition to dealing with every new risk, vulnerability and attack vector that comes along, cybersecurity pros need to understand their own fellow employees - how they think, how they learn and what they really want. The human element — the individual and social factors that…

4 min read

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read