Skip to main content

WiFi WPA 3 Support

WPA3 is the latest security specification for WiFi networks. It was introduced in 2018, and routers, access points and client devices that support the specification are now available. This Tech Note describes the current state of WPA3 support in Electric Imp imp modules and impOS™.

TL;DR

  • WPA3 SAE mode is supported from impOS 42.6 onwards, on imp006a and imp005.
  • imps that do not support WPA3 SAE — all other imps — will connect to WPA3 TM networks from impOS 42.6 onwards.
  • Pre-release versions of impOS 42 (those prior to 42.6) will not connect to either WPA3 TM or WPA3 SAE networks.

Detail

WPA3 provides two modes of access. The first, WPA3 SAE (Simultaneous Authentication of Equals), is the preferred mechanism. However, SAE isn’t compatible with client devices that do not support WPA3. For this reason, WPA3 incorporates Transition Mode. This allows WPA2 devices using pre-shared key security (WPA2 PSK) to connect to WPA3 routers and access points.

Transition Mode needs to be explicitly enabled in WPA3 infrastructure units. Many do so by default, due to the small number of WPA3-capable devices currently in the market.

WPA3 Support in impOS

imp impOS 40.x impOS 42.0-42.5 impOS >= 42.6
  WPA 3 TM WPA 3 SAE WPA 3 TM WPA 3 SAE WPA 3 TM WPA 3 SAE
imp001-004m, imp006b Will Connect Will Not Connect Will Not Connect Will Not Connect Will Connect Will Not Connect
imp005 Will Connect Will Not Connect Will Not Connect Will Not Connect Will Connect Will Connect
imp006a Will Connect Will Not Connect Will Not Connect Will Not Connect Will Connect Will Connect

impOS support for WPA3 is limited to WPA3-Personal — WPA3-Enterprise is not supported.

How Can I Tell Which Mode an imp is Using?

To determine which WPA 3 mode is in use in a given connection, use the imp API method imp.net.info() and check the encryption field of the WiFi interface record in the returned data structure.

For the imp005 and imp006a, when SAE is in use, the encryption field will have the value WPA3-SAE (AES). When Transition Mode is being used, the encryption field will have the value WPA3-WPA2-PSK (AES).

For all other imps, the encryption field will have the value WPA2-PSK (AES).

Supporting Your End-users

Most current WPA3 routers and access points are expected to enable Transition Mode by default, but some may require its owner to enable Transition Mode manually. End-users may also be encouraged to disable Transition Mode in order to maximize the security of their networks, even though this will prevent pre-WPA3 devices, including imps other than the imp005 and imp006a, from connecting.

The WiFi Alliance recommends that Transition Mode be enabled where backwards compatibility is required or desirable, or that end-users maintain separate WP3-Personal and WPA2-Personal networks. This is good advice to pass on to end-users seeking clarity on WPA3 support in your products. When a sufficient number of client devices are able to connect using WPA3 SAE, Transition Mode, which should be viewed as a temporary measure, can be disabled.