An Overview of Wireless Protected Access 2 (WPA2)

A Beginner's Guide to WPA2 and How It Works

Wi-Fi Protected Access 2 is a network security technology commonly used on Wi-Fi wireless networks. It's an upgrade from the original WPA technology, which was designed as a replacement for the older and much less secure WEP.

WPA2 is used on all certified Wi-Fi hardware since 2006 and is based on the IEEE 802.11i technology standard for data encryption.

When WPA2 is enabled with its strongest encryption option, anyone else within range of the network might be able to see the traffic but it will be scrambled with the most up-to-date encryption standards.

WPA2 vs. WPA and WEP

Computer mouse with thief disguise next to open lock
Frazer Hudson / Getty Images

It can be confusing to see the acronyms WPA2, WPA, and WEP because they might all seem so similar that it doesn't matter what you choose to protect your network with, but there are some differences between them.

The least secure is WEP, which provides security equal to that of a wired connection. WEP broadcasts messages using radio waves and is much easier to crack. This is because the same encryption key is used for every data packet. If enough data is analyzed by an eavesdropper, the key can be easily found with automated software (even in just a few minutes). It's best to avoid WEP entirely.

WPA improves on WEP in that it provides the TKIP encryption scheme to scramble the encryption key and verify that it hasn't been altered during the data transfer. The major difference between WPA2 and WPA is that WPA2 further improves the security of a network because it requires using a stronger encryption method called AES.

WPA2 security keys come in different flavors. WPA2 Pre-Shared Key uses keys that are 64 hexadecimal digits long; it's the method most commonly used on home networks. Many home routers interchange WPA2 PSK and WPA2 Personal mode — they refer to the same underlying technology.

AES vs. TKIP for Wireless Encryption

When you set up your home network with WPA2, you'll usually have to choose between two encryption methods: Advanced Encryption Standard (AES) and Temporal Key Integrity Protocol (TKIP).

Many home routers let administrators choose from among these possible combinations:

  • WPA with TKIP (WPA-TKIP): This is the default choice for old routers that did not yet support WPA2.
  • WPA with AES (WPA-AES): AES was first introduced before the WPA2 standard was completed, although very few clients ever supported this mode.
  • WPA2 with AES (WPA2-AES): This is the default choice for newer routers and the recommended option for networks where all clients support AES.
  • WPA2 with AES and TKIP (WPA2-AES/TKIP): Routers need to enable both modes if any of their clients do not support AES. All WPA2 capable clients support AES but most WPA clients do not.

WPA2 Limitations

Most routers support both WPA2 and a separate feature called Wi-Fi Protected Setup. While WPS is designed to simplify the process of setting up home network security, flaws in how it was implemented greatly limit its usefulness.

With WPA2 and WPS disabled, an attacker needs to somehow determine the WPA2 PSK that clients are using, which is a very time-consuming process. With both features enabled, an attacker only needs to find the WPS PIN to then, in turn, reveal the WPA2 key, which is a much simpler process. Security advocates recommend keeping WPS disabled for this reason.

WPA and WPA2 sometimes interfere with each other if both are enabled on a router at the same time, and can cause client connection failures.

Using WPA2 decreases the performance of network connections due to the extra processing load of encryption and decryption. That said, the performance impact of WPA2 is usually negligible, especially when compared with the increased security risk of using WPA or WEP, or even no encryption at all.