For maximum security, you should use WPA2 (AES) if you have older devices on your network, and WPA3 if you have a newer router and newer devices that support it.
Your Wi-Fi router offers encryption options such as WPA2-PSK (TKIP), WPA2-PSK (AES), and WPA2-PSK (TKIP/AES) and even, if it’s modern enough, WPA3 (AES). It can be a bit confusing, and if you choose the wrong one, you’ll end up with a slower, less secure network. Here’s what you need to know.
WPA2 vs. WEP, WPA, and WPA3
When you read about Wi-Fi security, the main focus is usually the type of encryption used to protect the wireless connection. That makes sense, after all, because by the very nature of a Wi-Fi router, all communication between your client device (like your smartphone or laptop) and the router is transmitted in the open. Anyone within range of your router can eavesdrop on that communication or even gain access to your router if the wireless connection is not secure.
This wireless connection is protected by security algorithms designed specifically for Wi-Fi. These algorithms aren’t strictly just encryption (although that’s a crucial component), but include additional functions that govern how keys are exchanged and verified, and more.
Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access II (WPA2) are the main security algorithms you’ll see when setting up a wireless network. If you have a newer router, you may also see Wi-Fi Protected Access III (WPA3).
WEP is the oldest and has proven vulnerable as more and more security flaws are discovered. WPA improved security, but is now also considered vulnerable to intrusion.
WPA2, while imperfect, is more secure than WEP or WPA and is one of the most widely used Wi-Fi security algorithms. WPA and WPA2 networks can use one of two encryption protocols, Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). We’ll look at the difference between those two encryption protocols in a moment.
Finally, WPA3 networks only use the AES encryption protocol. Although it was introduced in 2018, WPA3 is not yet in widespread adoption.
AES vs. TKIP
TKIP and AES are two different types of encryption that a Wi-Fi network can use. TKIP is actually an older encryption protocol introduced with WPA to replace the very insecure WEP encryption at the time. TKIP is quite similar to WEP encryption. TKIP is no longer considered secure and is now deprecated. In other words, you shouldn’t use it.
AES is a more secure encryption protocol introduced with WPA2. AES is also not some creaky standard developed specifically for Wi-Fi networks. It is a serious worldwide encryption standard that has even been adopted by the US government.
For example, when you encrypt a hard drive with TrueCrypt, you can use AES encryption for that. Windows’ built-in encryption tool, BitLocker, also uses AES, as does the macOS FileVault tool. AES is generally considered quite secure, and the main weaknesses would be brute force attacks (prevented by using a strong passphrase) and security weaknesses in other aspects of WPA2.
The short version is that TKIP is an older encryption standard used by the WPA standard. AES is a newer Wi-Fi encryption solution used by the new and secure WPA2 standard. In theory, that’s the end. But, depending on your router, choosing WPA2 may not be enough.
While WPA2 is supposed to use AES for optimal security, you can also use TKIP where backwards compatibility with legacy devices is needed. In such a state, WPA2-compliant devices will connect with WPA2 and WPA-compliant devices will connect with WPA. So “WPA2” doesn’t always mean WPA2-AES. However, on devices without a visible “TKIP” or “AES” option, WPA2 is generally synonymous with WPA2-AES.
Wi-Fi Security Modes Explained: Which Should You Use?
Confused yet? Don’t feel bad if you are. The world of Wi-Fi security is pretty arcane if you’re not a fan of networking. Fortunately, you don’t need to understand the intricacies of how security protocols and handshakes have changed between all generations of Wi-Fi.
You just need to go through our list below and select the most secure option that works with all your hardware and devices. To help you avoid old and insecure options, we have marked them with [Deprecated] after his name.
And to be clear, we are not arbitrarily controlling these protocols and deprecating them based on our opinions. Both Microsoft and Apple have designated them as such, too, which is why your Windows laptop warns you when a Wi-Fi network isn’t secure, and your iPhone warns you when Wi-Fi networks are poorly secure.
Also, we have not listed “Enterprise” options in the list below because RADIUS server-based or enterprise Wi-Fi security is rare in residential settings and requires additional infrastructure.
Also, note that depending on your router, non-enterprise options may be designated as “Personal” or “PSK.” PSK stands for “Pre-Shared Key” and indicates that, unlike in an enterprise setup, security does not rely on an authentication server, but instead on the user having the Pre-Shared Key (the Wi-Fi password) to log in as their method authentication. Starting with WPA2, and especially WPA3, it’s more common to see “Personal” instead of “PSK”.
With those notes in mind, these are the options you’ll likely see on your router.
- Open [Deprecated]: Open Wi-Fi networks do not have a password. You should not set up an open Wi-Fi network; seriously, the police might break down your door.
- WEP 64 [Deprecated]: The old WEP protocol standard is vulnerable and you should not use it.
- WEP 128 [Deprecated]: This is WEP, but with a larger encryption key size. It’s really no less vulnerable than WEP 64.
- WPA-PSK (TKIP) [Deprecated]: Uses the original version of the WPA protocol (essentially WPA1). It has been superseded by WPA2 and is not secure.
- WPA-PSK (AES) [Deprecated]: This uses the original WPA protocol but replaces TKIP with the more modern AES encryption. Offered as a stopgap, but devices that support AES will almost always support WPA2, while devices that require WPA will rarely support AES encryption. So this option makes little sense.
- WPA2-PSK (TKIP) [Deprecated]: Uses the modern WPA2 standard with the older TKIP encryption. This is not secure and is only a good idea if you have older devices that cannot connect to a WPA2-PSK (AES) network.
- WPA2-PSK (AES): This is the most secure option (outside of the newer WPA3). It uses WPA2, the latest Wi-Fi encryption standard, and the latest AES encryption protocol. You should use this option unless your router supports WPA3; then use it instead. On some devices, you will only see the option “WPA2” or “WPA2-PSK”. If you do, you’ll probably just use AES, as that’s a common sense choice.
- WPA/WPA2-PSK (TKIP/AES): Some devices offer and even recommend this mixed mode option. This option enables WPA and WPA2, with TKIP and AES. This provides maximum compatibility with any older devices you may have, but also allows an attacker to invade your network by cracking the most vulnerable WPA and TKIP protocols.
- WPA2/WPA3 Personal (AES): Like WPA/WPA2 hybrid, this mode is designed for backwards compatibility. Your WPA2-only devices will connect using WPA2 (AES) and your WPA3 devices will use the more advanced protocol. It may also be labeled “WPA3 Transitional” or a variation thereof.
- WPA3 Personal (AES): Older routers do not have WPA3 and older devices cannot use WPA3. But if you have a new router that supports WPA3 and all the newer devices, there’s no reason not to switch to WPA3 completely.
WPA2 certification became available in 2004. In 2006, WPA2 certification became mandatory. Any device made after 2006 with a “Wi-Fi” logo must support WPA2 encryption. WPA3 certification became available in 2018 and any device certified after July 1, 2020 must support WPA3. (Note the use of certified and not manufactured, a company can still manufacture and sell an older design that was certified before the adoption of a new standard.)
Since every Wi-Fi device on your network (including the router itself) is most likely certified and manufactured after 2006, there’s no reason why you shouldn’t use any security protocol less than WPA2-PSK ( AES). You should be able to select that option on your router and not experience any issues.
If you have a newer router that supports WPA3, we recommend trying WPA3 (AES) to upgrade to the highest level of security. If you have any problems, please switch to WPA2/WPA3 Hybrid (AES). This way, newer devices will use the best security and older devices will fall back to WPA2; either way, they’ll use AES, which is ideal.
If you don’t have a newer router, it’s probably time to recycle it and upgrade to a current Wi-Fi router with up-to-date standards and all the Wi-Fi enhancements that come with it. You don’t have to buy a next-generation Wi-Fi 7 model, but now is a good time to switch to Wi-Fi 6 or Wi-Fi 6E if you haven’t already.
WPA and TKIP will slow down your Wi-Fi
Maybe you’ve been reading up until now and thinking, “I really don’t care much about security.” While we encourage you to be more concerned about Wi-Fi network security, we understand that it’s not a pressing priority for everyone.
So here’s a compelling reason to use better Wi-Fi security algorithms that everyone can get behind. The WPA and TKIP compatibility options are not only bad from a security point of view. They can also slow down your Wi-Fi network.
When you run WPA/TKIP on a router that supports 802.11n and newer, faster standards, it will slow down to 802.11g speeds (54 Mbps) to ensure backwards compatibility with older clients. That’s terribly slow.
By comparison, even 802.11n (Wi-Fi 4) supports up to 300 Mbps if you use WPA2 with AES. However, most people have newer routers now. If you have an 802.11ac (Wi-Fi 5) or 802.11ax (Wi-Fi 6) router and you’re using WPA/TKIP, you’re leaving a lot of performance on the table.
In generations of Wi-Fi, 802.11g is essentially “Wi-Fi 2” and came out in 2003. There’s just no good reason to use a Wi-Fi security standard that’s insecure, outdated, and slow.
When in doubt, always choose WPA 2 (AES) or WPA3
We’ve said it several times so far, but one last time for emphasis. If you’re not sure which setting to choose on your router, always choose the most secure one, and for any route made after 2010 or so, that’s either WPA 2 (AES) or WPA 3.
On most routers we’ve seen certified before 2018, the options are generally WEP, WPA (TKIP), and WPA2 (AES), with perhaps a WPA (TKIP) + WPA2 (AES) compatibility mode thrown in for good measure. If this is what your router offers you, set your router to WPA2 (AES).
On routers certified after 2018 (especially after the July 1, 2020 deadline), you will find WPA3 and WPA2/WPA3 compatibility modes. We strongly recommend trying the pure WPA3 mode. If everything works, great! You have the best Wi-Fi security settings you can. If you find that there are some older mission-critical items in your home (such as a Wi-Fi thermostat) that don’t work well with WPS, please switch back to WPA2/WPA3 compatibility mode.
But whatever you do, it’s time to put aside all the lesser Wi-Fi security protocols like WEP, WPA, and WPA2 (TKIP) for good.