An Overview of Wireless Protected Access 2 (WPA2)

A beginner's guide to WPA2 and how it works

Wi-Fi Protected Access 2 is a network security technology commonly used on Wi-Fi wireless networks. It's an upgrade from the original WPA technology, which was designed as a replacement for the older and much less secure WEP. WPA2 is used on all certified Wi-Fi hardware since 2006 and is based on the IEEE 802.11i technology standard for data encryption.

When WPA2 is enabled with its strongest encryption option, anyone else within range of the network might be able to see the traffic, but it is scrambled with the most up-to-date encryption standards.

Computer mouse with thief disguise next to open lock
Frazer Hudson / Getty Images

WPA2 vs. WPA and WEP

It can be confusing to see the acronyms WPA2, WPA, and WEP because these seem so similar that it shouldn't matter which you choose to protect your network, but there are differences.

The least secure is WEP, which provides security equal to that of a wired connection. WEP broadcasts messages using radio waves and is easy to crack. This is because the same encryption key is used for every data packet. If enough data is analyzed by an eavesdropper, the key can be found with automated software (in a few minutes). It's best to avoid WEP entirely.

WPA improves on WEP in that it provides the TKIP encryption scheme to scramble the encryption key and verify that it hasn't been altered during the data transfer. The major difference between WPA2 and WPA is that WPA2 improves the security of a network because it requires using a stronger encryption method called AES.

WPA2 security keys come in different flavors. A WPA2 Pre-Shared Key uses keys that are 64 hexadecimal digits long. This method is commonly used on home networks. Many home routers interchange WPA2 PSK and WPA2 Personal mode—these refer to the same underlying technology.

AES vs. TKIP for Wireless Encryption

When you set up a home network with WPA2, you usually choose between two encryption methods: Advanced Encryption Standard (AES) and Temporal Key Integrity Protocol (TKIP).

Many home routers let administrators choose from among these possible combinations:

  • WPA with TKIP (WPA-TKIP): This is the default choice for old routers that don't support WPA2.
  • WPA with AES (WPA-AES): AES was first introduced before the WPA2 standard was completed, although few clients supported this mode.
  • WPA2 with AES (WPA2-AES): This is the default choice for newer routers and the recommended option for networks where all clients support AES.
  • WPA2 with AES and TKIP (WPA2-AES/TKIP): Routers need to enable both modes if any clients do not support AES. All WPA2 capable clients support AES, but most WPA clients do not.

WPA2 Limitations

Most routers support both WPA2 and a separate feature called Wi-Fi Protected Setup. While WPS is designed to simplify the process of setting up home network security, flaws in how it was implemented limit its usefulness.

With WPA2 and WPS disabled, an attacker needs to determine the WPA2 PSK that the clients use, which is a time-consuming process. With both features enabled, an attacker only needs to find the WPS PIN to the clients to reveal the WPA2 key. This is a simpler process. Security advocates recommend keeping WPS disabled for this reason.

WPA and WPA2 sometimes interfere with each other if both are enabled on a router at the same time, and can cause client connection failures.

Using WPA2 decreases the performance of network connections due to the extra processing load of encryption and decryption. The performance impact of WPA2 is usually negligible, especially when compared with the increased security risk of using WPA or WEP, or no encryption at all.