Abstract

Wi-Fi Protected Access 3 (WPA3) became a mandatory part of the Wi-Fi certification on July 1 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">st</sup> 2020. Therefore, the adoption rate of WPA3 is expected to grow soon. In this paper, we focus on WPA3 personal transition mode, in particular the security of this mode. We argue that transition mode is a requirement in home environments for the foreseeable future. We investigate whether it is possible to secure a WPA3 personal transition mode network in such a way that downgrade attacks are not feasible. We find that even with the security recommendations that the Wi-Fi Alliance recently issued for WPA3, common implementations running in transition mode can still be downgraded to WPA2. In our experiments, we can see that there are differences between WPA3 implementations in terms of security. The Wi-Fi Alliance has already announced upcoming additions to the WPA3 standard. These additions offer essential improvements to the security of WPA3 personal transition mode networks. We believe that the WPA3 certification should be extended to include the recently announced additions to WPA3. In addition to this, we make several recommendations to ensure the safe operation of WPA3. Together these changes will resolve most of the implementation differences we observed. Furthermore, we argue that mutual authentication is an essential stepping stone towards a more secure Wi-Fi ecosystem and discuss two mechanisms.