WPA3 is the latest security specification for WiFi networks. It was introduced in 2018, and routers, access points and client devices that support the specification are now available. This Tech Note describes the current state of WPA3 support in Electric Imp imp modules and impOS™.
WPA3 provides two modes of access. The first, WPA3 SAE (Simultaneous Authentication of Equals), is the preferred mechanism. However, SAE isn’t compatible with client devices that do not support WPA3. For this reason, WPA3 incorporates Transition Mode. This allows WPA2 devices using pre-shared key security (WPA2 PSK) to connect to WPA3 routers and access points.
Transition Mode needs to be explicitly enabled in WPA3 infrastructure units. Many do so by default, due to the small number of WPA3-capable devices currently in the market.
| imp | impOS 40.x | impOS 42.0-42.5 | impOS >= 42.6 | |||
|---|---|---|---|---|---|---|
| WPA 3 TM | WPA 3 SAE | WPA 3 TM | WPA 3 SAE | WPA 3 TM | WPA 3 SAE | |
| imp001-004m, imp006b | Will Connect | Will Not Connect | Will Not Connect | Will Not Connect | Will Connect | Will Not Connect |
| imp005 | Will Connect | Will Not Connect | Will Not Connect | Will Not Connect | Will Connect | Will Connect |
| imp006a | Will Connect | Will Not Connect | Will Not Connect | Will Not Connect | Will Connect | Will Connect |
impOS support for WPA3 is limited to WPA3-Personal — WPA3-Enterprise is not supported.
To determine which WPA 3 mode is in use in a given connection, use the imp API method imp.net.info() and check the encryption field of the WiFi interface record in the returned data structure.
For the imp005 and imp006a, when SAE is in use, the encryption field will have the value WPA3-SAE (AES). When Transition Mode is being used, the encryption field will have the value WPA3-WPA2-PSK (AES).
For all other imps, the encryption field will have the value WPA2-PSK (AES).
Most current WPA3 routers and access points are expected to enable Transition Mode by default, but some may require its owner to enable Transition Mode manually. End-users may also be encouraged to disable Transition Mode in order to maximize the security of their networks, even though this will prevent pre-WPA3 devices, including imps other than the imp005 and imp006a, from connecting.
The WiFi Alliance recommends that Transition Mode be enabled where backwards compatibility is required or desirable, or that end-users maintain separate WP3-Personal and WPA2-Personal networks. This is good advice to pass on to end-users seeking clarity on WPA3 support in your products. When a sufficient number of client devices are able to connect using WPA3 SAE, Transition Mode, which should be viewed as a temporary measure, can be disabled.