The first layer of defense for a wireless network is the authentication process. With a strong authentication barrier, an organization can feel confident that only approved network users are able to gain access to the network and the resources they need. Without proper authentication, a network could be easily compromised. There are several methods of authentication, each with their own strengths and weaknesses.
Wi-Fi Protected Access
WPA
Wi-Fi Protected Access (WPA) was first certified for use by wireless devices in 2003. It replaced Wired Equivalent Privacy (WEP) at that time because the older protocol was proving to be insecure against modern attacks.
While WPA did bring updates like the use of Temporal Key Integrity Protocol (TKIP), it was destined to be short-lived. WPA was launched while the 802.11i standard was still in progress, so WPA was quickly replaced in 2004 by WPA2. By 2006, WPA2 had become the new industry standard that would stand for the next 15 years.
WPA2
WPA2 has become synonymous with the Wi-Fi trademark and is mandatory for those that want to use the trademark. There are many improvements that WPA2 brings, but the most impactful ones centered around security and the user experience.
The upgraded AES-CCMP encryption improved drastically on WEP and WPA methods. The process of manually configuring a wireless network was simplified greatly. And perhaps most visible to the end user was the requirement of more complex passwords, as well as offering WPA2-Personal and WPA2-Enterprise for personal and business use respectively.
WPA3
While WPA2 has lasted over a decade, it is beginning to show signs of its age. As a result, in 2018 WPA3 was launched. WPA3 operated similarly to WPA2 but was upgraded for the modern age. Some upgrades included requiring longer key length for AES encryption, adding encryption to open authentication networks, and implementing Simultaneous Authentication of Equals.
If you’re wondering why you’re still using a WPA2 network currently, do not be alarmed; WPA3 has not seen widespread adoption. WPA3 is unable to support legacy devices, so many organizations simply cannot support both WPA2 and 3. But new devices are designed to enable WPA3, so over the coming years we will likely see a huge uptick in WPA3 use.
Authenticating to a WPA Network
There are several authentication methods that can be applied to a WPA network, each with different levels of simplicity, security, and effectiveness.
Open Authentication
The Open Authentication method is the most simple. A user finds the SSID that corresponds to the network they want to authenticate to, and then they connect to the network. This method does not require proof of identity and does not encrypt traffic.
Open networks should be avoided at all costs. They are often seen in public spaces such as shops or recreational areas, and they are a magnet for attackers. Even a low-skilled attacker can easily view traffic on an open network and attack its users. The US government has issued a warning about the dangers of using open networks and has strongly recommended against their use.
Pre-Shared Key
WPA2-PSK allows anyone to connect to a network using a shared password. This is a common method used in homes, coffee shops, and small offices. While it does use protected WPA2, PSK is still a problematic authentication method, especially in an office setting.
Since everyone knows the single password, it can be easily shared outside the organization, whether intentionally or accidentally. In an office, if a user leaves the organization, best practice would be to reset the password. This isn’t exactly an efficient system and can quickly lead to a breach. Overall, PSK is a risky method and should probably be avoided.
WPA2-Enterprise
WPA2-Enterprise requires each user to authenticate with a unique identifier. This method is used by businesses, schools, hospitals – really any large organization with valuable data they need to protect. It is far and away the most secure of the common authentication types as each user must be onboarded and identified in the IDP.
WPA2-Enterprise requires the use of a secure EAP method to authenticate. The most commonly used include PEAP-MSCHAPv2, EAP-TTLS/PAP, and EAP-TLS. It can be configured to accept a wide variety of identifiers and can enable MFA for a more secure authentication experience.
The usual experience with WPA2-Enterprise is each user is assigned a unique identifier when they are onboarded to the network. While this identifier is usually an individual password associated with an individual user, many organizations have begun to use certificates over passwords.
Certificates are superior to passwords in every metric. For the end user, certificates are something you have, not a complex password that must be memorized or changed regularly. They simply connect to the network and the certificate is automatically authenticated. Certificates cannot be shared or removed from the device unless revoked by a network admin. And public key cryptography prevents certificates from being stolen for use by attackers.
Simplifying WPA2-Enterprise
For most organizations, WPA2-Enterprise is the only choice for network protection. It uses the most secure authentication methods and allows for a huge amount of customization. Whether you want to use passwords or MFA, WPA2-Enterprise can accommodate.
SecureW2 provides all the tools needed to set up a secure WPA2-Enterprise network. Our set-n-forget infrastructure can be quickly set up and is designed for easy lifetime management. The infrastructure provided integrates with all major network infrastructure manufacturers so you can build on top of your existing system instead of outright replacing everything.
The greatest asset of SecureW2 is the efficient certificate solutions. For both admins and end users, the process of launching certificates is streamlined. Users can easily configure and obtain a certificate, and admins can manage the network with an array of tools in the management portal.
Check out SecureW2’s pricing page to see if our certificate solutions can revolutionize the way you authenticate to your secure network.
