WPA3 (Wi-Fi Protected Access 3) is the current Wi-Fi security standard, introduced in 2018 to replace WPA2. It addresses several long-standing weaknesses in WPA2, including vulnerability to offline brute-force attacks on captured Wi-Fi handshakes, the lack of forward secrecy, and limitations of the original four-way handshake protocol.

In short: WPA3 uses Simultaneous Authentication of Equals (SAE), a stronger key exchange protocol that prevents attackers from cracking captured handshakes offline, even with weak passwords. WPA3-Personal provides this for home and small business deployments using a pre-shared key. WPA3-Enterprise provides certificate-based authentication using 802.1X with stronger cryptographic suites, suited to enterprise and industrial deployments. Wi-Fi 6 certification requires WPA3 support, so most current-generation Wi-Fi equipment includes it.

For IoT deployments, WPA3 should be the target for new builds. Mixed-mode operation (WPA2/WPA3 transition mode) is widely supported on current access points, allowing older WPA2-only client devices to coexist with WPA3-capable ones during the migration period. Once all clients on a given SSID support WPA3, pure WPA3 mode should be enforced.

Client device support remains the main practical constraint. Many IoT devices, particularly older or low-cost ones, are still WPA2-only. For deployments needing to support such devices, either keep WPA2 on a separate dedicated SSID (segregated by VLAN with strict firewall rules between it and other zones) or replace the affected devices. The Network and Information Systems Regulations and modern security frameworks expect WPA3 or at minimum WPA2-AES for any new enterprise or critical-infrastructure deployment.