Wi-Fi Protected Access II (WPA2) is an encryption standard used to secure the majority of Wi-Fi networks. Despite being commonly referred to as WPA2, the standard is officially known as IEEE 802.11i-2014.
What is WPA2?
WPA2 was first released in 2004. It built on the previous WPA standard to increase data protection and network access control for Wi-Fi networks. When enabled, WPA2 makes it much safer to connect to Wi-Fi because it provides unique encryption keys for each wireless device.
WPA2 has been mandatory for all Wi-Fi Alliance certified products since 2006. As a result, officially certified routers and devices have supported WPA2 for over 15 years. This makes WPA2 fairly old, which is why an updated version of the standard, known as WPA3, was ratified in January 2019.
WPA3 implements several security improvements over WPA2 and is now mandatory to gain official Wi-Fi Alliance certification. However, WPA2 is still the primary form of protection on Wi-Fi networks for the time being.
Check out our guide to WPA3 WiFi standard for more information about it.
What is the difference between WPA and WPA2?
The first thing to note is that WPA already contained some important security features found in IEEE 802.11i (WPA2). For example, WPA dynamically generates a new 128-bit key for each packet using the Temporal Key Integrity Protocol (TKIP). This is a vast improvement over the security available in the Wired Equivalent Privacy (WEP) security algorithm that preceded it.
WPA also implements a message integrity check using a Message Authentication Code (MAC). This is designed to prevent an attacker altering, spoofing, or resending data packets.
The crucial difference between these two standards is that WPA2 uses Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP), which is AES-based encryption (rather than TKIP). AES is a military-grade cipher that results in security being much more robust.
Are all Wi-Fi networks protected with WPA2 or later?
No. Although routers nowadays support WPA2, it is up to the Wi-Fi hotspot administrator to ensure that the encryption is enabled.
When a local network administrator sets up a router, they get a few different security options. If the admin opts to leave the router unsecured, this could leave users who connect to it vulnerable to cyberattacks. As a result, it is impossible to connect to public Wi-Fi confidently without the use of a VPN.
In 2023, the security options available to network administrators setting up a Wi-Fi network are as follows (descending from most secure to least secure):
- WPA2 Enterprise
- WPA2 Personal
- WPA + AES
- WPA + TKIP
- Open Network (no security implemented)
What weaknesses does WPA2 have?
Even when WPA2 is implemented and a password is required to join a Wi-Fi network, it still harbors some potential vulnerabilities.
Passwords can potentially be cracked due to key management vulnerabilities present in the 4-way handshake. In addition to password decryption, this can result in packet replay, TCP connection hijacking, and HTTP content injection. Passwords are also potentially vulnerable to a dictionary attack.
In addition, once any user has access to a WPA2 protected Wi-Fi network, it is possible that they might attack other devices connected to the network. This is why we recommend that you always use a VPN for public Wi-Fi networks.
The KRACK vulnerability can also be exploited to intercept unprotected data passing over the network, which is another reason why it is always recommended for consumers to use a VPN.
What improvements does WPA3 provide?
As time passes vulnerabilities are exposed, and it becomes necessary to update standards that were previously considered secure. WPA3 is an updated version of the IEEE 802.11i standard that improves security in a number of ways:
- Enforces a more secure handshake for establishing connections. This replaces Pre-Shared Key (PSK) exchange with Simultaneous Authentication of Equals (SAE), which is a more secure way to do the initial key exchange and results in forward secrecy due to its implementation of a Diffie-Hellman key exchange mechanism.
- Provides an easy method for securely adding new devices to a network
- Increases key sizes
However, although WPA3 allows for the implementation of all the advancements above, it is worth noting that the final specification only makes the new handshake mandatory. Thus, not all networks that update to WPA3 will roll out all the improvements mentioned above.
Thus, the primary benefits of WPA3 is the increased security of the handshake, which makes it harder to break into the network and protects it against the KRACK vulnerability.
Should I use VPN on WPA2 protected networks?
When you connect to a public Wi-Fi hotspot, it is not always possible to tell what kind of security has been implemented.
In addition, as previously mentioned, even if WPA2 has been implemented, it is possible that your data could be exposed to another user who is also connected to the hotspot.
This is why it is vital for anybody who regularly connects to public Wi-Fi in locations such as coffee shops, hotels, and airports to use a VPN to encrypt their traffic.