WPA2 vs WPA3 transition mode — when to switch and what breaks

Three federal-grade and one vendor-grade source make the case directly.

The National Security Agency's February 2023 Cybersecurity Information Sheet, Best Practices for Securing Your Home Network, gives this guidance in two sentences: “To keep your wireless communications confidential, ensure your personal or ISP-provided WAP is capable of Wi-Fi Protected Access 3 (WPA3). If you have devices on your network that do not support WPA3, you can select WPA2/3 instead.”⁸ NSA additionally specifies a passphrase of “a minimum length of twenty characters” and recommends enabling Protected Management Frames where available.⁸

The Cybersecurity and Infrastructure Security Agency's home Wi-Fi module, part of CISA's Project Upskill curriculum, treats WPA3 Personal and WPA2-AES as both acceptable choices: “Check to make sure your router uses WPA3 Personal or WPA2 AES (also referred to as WPA2 Pre-Shared Key [PSK] or WPA2) encryption. These are the only two forms of encryption that are considered safe and secure against threat actors.”⁹ CISA condemns WEP, WPA1, and WPA2 with TKIP — not WPA2 by itself.⁹

Apple's Recommended settings for Wi-Fi routers and access points support article — updated as recently as March 2026 — endorses both options directly: “Set to WPA3 Personal for better security, or set to WPA2/WPA3 Transitional for compatibility with older devices.”¹⁰The same article's deprecation list — what triggers the “Weak Security” banner in iOS Settings — is “WPA/WPA2 mixed modes, WPA Personal, WEP, and TKIP.”¹⁰ WPA2/WPA3 Transitional is not on the deprecation list. WPA-with-WPA2 is.

And eero, the residential Wi-Fi vendor with one of the largest deployed home-network fleets in the US, was direct when it added WPA3 support in 2020: “We have chosen to implement transition mode… transition mode is designed to support WPA2 and WPA3 simultaneously” — alongside the candid admission, “our testing has revealed interoperability issues with some legacy devices.”¹⁴

The case is settled at the policy layer. The interesting question is the operational one: what those interoperability issues actually look like, and where the standards body itself draws the line.

The Wi-Fi Alliance's December 2020 Wi-Fi Security Roadmap and WPA3 Updatesdeck contains the cleanest one-line warning we've found in any standards-body document:

“If a WPA3 Transition mode does not meet the security requirements for a deployment, WPA3 and WPA2 should be deployed on individual SSIDs and logically separated / isolated network segments.”³

The same deck spells out the inheritance: “WPA2-Personal is still vulnerable to all the classic issues.”³ A transition-mode SSID accepts WPA2 connections; therefore a transition-mode SSID inherits WPA2's attack surface for any client that uses the WPA2 path.

The cryptographic case is documented in Mathy Vanhoef and Eyal Ronen's paper Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd, presented at the IEEE Symposium on Security and Privacy in 2020.¹⁶ Section 4.1.1 documents a downgrade attack against WPA3-Personal Transition Mode where the attacker does not need a man-in-the-middle position. They quote:

“The adversary can broadcast a WPA2-only network with the given SSID. This causes the client to connect to our rogue AP using WPA2. The adversary can forge the first message of the 4-way handshake, since this message is not authenticated. In response, the victim will transmit message 2 of the 4-way handshake, which is authenticated. Based on this authenticated handshake message, a dictionary attack can be carried out.”¹⁶

The vulnerability is keyed by CERT/CC as VU#871675¹⁷ and assigned six CVEs (CVE-2019-9494 through CVE-2019-9499).¹⁸ Two practical reproductions of the attack have been published since: TrustedSec's July 2024 writeup documents capturing a WPA2 4-way handshake from a transition-mode SSID across Aruba, Ubiquiti, MikroTik, and Cisco Meraki APs, and brute-forcing it offline with Hashcat.¹⁹RedLegg's June 2025 piece demonstrates the same downgrade with the open-source eaphammer tool.²⁰

The Wi-Fi Alliance itself acknowledged the risk in December 2020 by making Transition Disable a mandatory feature of every Wi-Fi CERTIFIED WPA3 device.³ When the access point is fully on WPA3 and decides legacy clients are no longer needed, it can broadcast an authenticated bit telling clients to permanently remove WPA2 from their saved profile for that SSID. The escape hatch exists because transition mode is not designed to be permanent.

The honest framing, then, is: WPA2/WPA3 transition mode is meaningfully better than WPA2-only for the modern clients that pick the SAE AKM, and meaningfully not better than WPA2-only for the legacy clients that pick the PSK AKM. If everything on your network can do WPA3, there is a defensible argument for switching to WPA3-only. For most homes that is not yet true.

The most useful single sentence on transition-mode breakage we found in any vendor doc is buried in Juniper Mist's 6 GHz wireless considerations page: “Older devices (such as Android 9 and older as well as Microsoft Surface devices with Marvell chipsets) have had trouble connecting to WPA3-Personal Transition networks.”²⁴ The same page advises operators to “consider using an SSID with WPA2-Personal configured on the 2.4 and 5-GHz bands to support older devices” rather than compromise the WPA3 SSID.²⁴

The Microsoft Surface side of that finding is the AVASTAR / Marvell 88W8897 Wi-Fi chipset shipped in the Surface Pro 3, Surface Pro 6, Surface Laptop, and Surface Book 2. Marvell never released a WPA3-capable driver, and Microsoft moved to Intel Wi-Fi silicon in subsequent Surface generations; these devices are stuck on WPA2 and can intermittently fail to associate in transition mode.²⁴

The other recurring categories of breakage, from vendor documentation directly:

• Sonos — first-generation hardware. Sonos's own support article lists which products do and don't support WPA3. The Sonos Play:1, Play:3, Play:5 (Gen 2), original One (Gen 1), Sub (Gen 1 and 2), Symfonisk Bookshelf (Gen 1), and original Symfonisk Table Lamp all do not support WPA3.³⁴ The vendor recommendation is WPA2/WPA3 Transitional if any first-gen Sonos is on the network, or a separate WPA2-only SSID for those speakers.
• Ring — most cameras and doorbells. Ring's support article on Wi-Fi security protocols for its devices states that, as of early 2025, only the Doorbell Pro 2, Indoor Cam (2nd Gen), and Stickup Cam Pro support WPA3. The rest of the Ring fleet is WPA2 only.³⁵
• Older smart-home and IoT hardware. Google's own support documentation for Nest Wifi says it ships with WPA2 by default “to maximize compatibility with legacy connected devices” and explicitly warns: “Some legacy WPA2 devices may be incompatible with WPA3 and experience connection issues when WPA3 transition mode is on.”¹⁵ That includes a long tail of older Nest cameras and thermostats, older smart-TV firmware, older e-readers, and the original Nintendo Switch and Switch Lite, which support WPA2-AES but not WPA3.³¹ The Switch 2, released in 2025, added WPA3-SAE support.³²
• Wi-Fi printers.HP's position, visible in its own community forum staffed by HP engineers, is that current HP printers support PMF only with WPA and WPA2, and recommends transition mode as the path forward for households that want WPA3 on their other devices.³⁶ Brother and Canon both ship WPA3 support on current models; Brother explicitly documents that the WPS easy-setup flow does not work under WPA3, requiring the wired or USB driver-install path instead.³⁷

The total rate is measurable. Jennifer Minella, author of Wireless Security Architecture(Wiley), gave a number on Packet Pushers' Heavy Wireless podcast in May 2023: moving an enterprise SSID from WPA2-only to transition mode caused roughly 20 to 30 percent of endpoints to fail to associate on passphrase networks.²⁷ Enterprise 802.1X networks fared much better. Her quote on residential gear is characteristic of the field experience: “some endpoints … they just misbehave and they just completely spazz out when they see something they don't understand.”²⁷ The failures, she observed, do not correlate cleanly with device age.

The 6 GHz band — the spectrum Wi-Fi 6E and Wi-Fi 7 access points operate in — does not permit WPA2 at all. The Wi-Fi Alliance's WPA3 Specification is explicit in the note attached to Section 2.3: “Per Sections 11.2 and 11.4, an AP does not operate a BSS in WPA3-Personal Transition Mode in the 6 GHz band or Sub 1 GHz band.”²

Cisco Meraki's WPA3 configuration guide restates this as a normative line: “WPA2 is not permitted in 6 GHz operation.”²²HPE Aruba's WPA3-Enterprise documentation describes the same behaviour from the AP's perspective: “When used in the 6 GHz radio band, PMF is mandatory and the transition mode will be automatically overruled and disabled.”²³ Ubiquiti's help-center article Getting Started with 6 GHz reaches the same conclusion: “All 6 GHz networks will be secured with OWE or WPA3, as required by standards.”³⁰

Wi-Fi 7's Multi-Link Operation feature — where a single client maintains simultaneous associations on multiple bands — is also WPA3-only. Ubiquiti's MLO documentation is explicit: “An MLO SSID must use WPA3 as the encryption method across all involved bands and, therefore, will not allow clients that support WPA2 or lower to connect.”²⁶ Enabling MLO in the UniFi controller forces the security mode to WPA3 or WPA3-Enterprise automatically.²⁶

Practical consequence: the moment a household upgrades to a Wi-Fi 6E or Wi-Fi 7 access point and wants to use the 6 GHz band at all, transition mode stops being a choice. Modern clients connect on 6 GHz with WPA3 and PMF mandatory. Legacy IoT clients stay on 2.4 GHz with whatever the 2.4 GHz radio is configured for — which, in transition mode, is WPA2 or WPA3 at the client's discretion.

The most recent published-snapshot view of global Wi-Fi encryption distribution comes from WiGLE, the volunteer wardriving project that has observed more than 1.7 billion unique networks worldwide. As of late 2025, WiGLE's public statistics page reported the mix as roughly 75% WPA2, 3% WPA3, and the remainder a long tail of WPA, WEP, and unknown.²⁵ The number cuts globally rather than residentially, but it is the only public baseline of comparable scale.

Telemetry from HPE-Juniper's Mist cloud, shared at the 2026 Wireless LAN Professionals Conference and reported by Rasika Nayanajith on his mrncciew.com blog, paints a similar picture from the enterprise side: “Based on the statistics shared by HPE-Juniper, only around 10% of Wi-Fi authentications are using WPA3, and just 1% of those are WPA3-Personal.”²⁶ That is enterprise telemetry, where IT departments tend to be ahead of residential homeowners on security mode. The residential ratio is almost certainly lower.

Juniper Mist itself only made WPA3 the default for newly created wireless networks on November 12, 2025: “WPA3 is now the default security type when you create a new WLAN within Mist. There are no changes to existing WLANs.”²⁶ An enterprise-grade controller waiting until late 2025 to ship WPA3-by-default is itself the data point.

The implication for residential deployment is direct. Transition mode is not a temporary stopover from a world where WPA3 is the norm — it is the live operating point for almost everyone in 2026. The question is not whether to use it, but how to scope it.

In the UniFi Network application — version 8.1 or newer for transition mode²⁹ — the relevant controls live under Settings → WiFi → [SSID] → Security Protocol and the adjacent PMF tristate. Ubiquiti's help-center page covering the settings documents the recommendation directly: “Use WPA2/WPA3 for most environments — this provides a good compromise between modern security and legacy device compatibility. It allows newer devices to use WPA3 while falling back to WPA2 for those that don't support it.”²⁹

The PMF dropdown is more constrained than it looks. The same page states: “PMF is disabled by default for WPA2 networks, however it cannot be disabled for WPA2/3 and WPA3 networks.”²⁹ On a transition SSID, the only choices are Optional (default; clients negotiate it if they support it) or Required (which excludes clients that cannot do PMF — most pre-WPA3 IoT).

The single most common reason a UniFi engagement is still on WPA2-only in 2026 is Private Pre-Shared Keys— Ubiquiti's feature for assigning a different passphrase to different clients on the same SSID, useful for handing each houseguest, contractor, or family member their own credential. PPSK does not support WPA3. HostiFi's blog post on the feature's launch in October 2023 was unambiguous: “At the moment, this won't work on setups which use WPA3.”²⁸ The limitation is still in place as of mid-2026; the community feature-request thread is open and unmerged.

For households that want WPA3-grade security on a guest network without a shared passphrase at all, the cleaner answer is now Enhanced Open — an open SSID with opportunistic wireless encryption (OWE) on the wire. Ubiquiti shipped OWE in UniFi Network 10.2 on 12 March 2026: “Enhanced Open (OWE) mode, significantly improving user privacy and offering protection against deauthentication attacks … WPA3-grade security and 6 GHz support … password-free encrypted connectivity for guests and public spaces.”³³

One more UniFi-specific recommendation: leave the Fast Roaming (802.11r) toggle off unless every client on the SSID needs it. Newer UniFi firmware cycles have repeatedly surfaced edge cases where the combination of WPA3-Personal + Fast Transition + iPhone handoff produces brief disconnections; the field-engineer workaround across multiple incidents has been to disable Fast Roaming on the affected SSID until the firmware fix lands. The behaviour is reported as intermittent and per-firmware-version; the conservative residential default is to leave 802.11r off unless the household has VoIP or video-call use cases that genuinely need sub-50-ms roams.

The summary of all the above, as a sequence of decisions that fit on one page:

• 2.4 GHz / 5 GHz main SSID — set Security Protocol to WPA2/WPA3 with PMF Optional. Use a passphrase of 20 characters or more, per NSA guidance.⁸ Modern devices negotiate WPA3 with SAE; legacy devices fall back to WPA2-AES.
• 6 GHz radio — the controller will force WPA3-only automatically when a 6 GHz radio is enabled on the SSID. This is a Wi-Fi Alliance requirement, not a vendor choice.² 6 GHz traffic gets the full SAE + mandatory PMF posture. Legacy clients without a 6 GHz radio cannot see the SSID on this band, which is exactly what you want.
• Guest SSID — if everything that joins will be modern, use Enhanced Open (OWE) on UniFi 10.2+ for a password-free encrypted guest network.³³ Otherwise, a separate WPA2/WPA3 transition SSID with a different passphrase is fine.
• IoT SSID — for the legacy IoT cohort that fails to associate in transition mode (older Sonos, older Ring, older Nest, original Switch, certain printers), spin up a separate 2.4-GHz-only SSID set to WPA2-only with PMF disabled. The standards-body advice for this exact case is in the Wi-Fi Alliance roadmap quoted above.³ Pin this SSID to a dedicated IoT VLAN with deny-by-default inter-VLAN rules.
• PPSK SSID — if the household uses UniFi PPSK to give each guest or housekeeper their own credential, that SSID has to stay on WPA2 until Ubiquiti ships WPA3 PPSK.²⁸ Treat it as a managed exception, not a permanent default.
• Wi-Fi 7 / MLO clients— when the household's primary devices are Wi-Fi 7 and benefit from Multi-Link Operation, a separate WPA3-only SSID with MLO enabled is the right answer.²⁶ Legacy clients route to the transition-mode SSID instead.

That is the entire decision tree. Two SSIDs for most homes (main transition-mode plus IoT WPA2-only), three or four for households with a guest network or a Wi-Fi 7 MLO cohort. None of it requires deprecating WPA2 across the board, and none of it leaves the main SSID on security weaker than the modern clients can negotiate.

• WPA2-AES with PMF and a strong passphrase is still defensible.CISA's current home Wi-Fi guidance treats it as acceptable.⁹ The article does not claim WPA2-only is broken — it claims WPA2/WPA3 transition mode is the better default on hardware that supports it. Households with no modern Wi-Fi clients yet (rare in 2026) do not need to move.
• The Dragonblood downgrade attack requires specific positioning. The attacker must be within radio range of the client at the moment the client tries to associate to the rogue WPA2-only AP broadcasting the same SSID, and must be able to sustain that broadcast long enough for the victim to associate and the captured handshake to be harvested.¹⁶ This is not as easy as cracking an open coffee-shop network, but it is well within reach of a determined attacker with a USB radio and proximity to the home. The fix — WPA3-only — is the right answer for households where this matters.
• 20-30% failure rate is for enterprise passphrase networks at the time of switchover. Jennifer Minella's number describes endpoints failing to join when transition mode is first enabled.²⁷ Residential numbers will differ — fewer clients, narrower device variety, tighter household-specific knowledge of what each device is. Expect a small number of named devices to fail; expect to put them on the IoT SSID.
• FragAttacks and SSID Confusion affect WPA3 implementations too.Mathy Vanhoef's FragAttacks disclosure (2021) and the 2024 SSID Confusion vulnerability (CVE-2023-52424) both affect WPA2 and WPA3 implementations equally. Moving to WPA3 does not immunize a network against implementation-level Wi-Fi flaws; the fixes are firmware patches, which reputable vendors have shipped.
• NIST SP 800-97 — the federal Wi-Fi security guide — was withdrawn on 31 December 2025 with no designated successor. NIST now directs readers to IEEE 802.11 directly.⁵ The federal guidance picture is split: NSA endorses transition mode for home networks, CISA endorses WPA2-AES or WPA3 either way, NIST defers entirely to the underlying IEEE standard. None of the three tells you to pick WPA3-only; none of the three tells you transition mode is dangerous in residential.
• Vendor compatibility matrices move. Apple's Recommended Wi-Fi Settings article and the Sonos and Ring compatibility lists have all shifted in the last two years and will shift again. If the article is being read more than six months after publication, verify the named devices against the live vendor page before quoting them in a customer-facing audit.

None of these change the recommendation. WPA2/WPA3 transition mode is the right default on the modern residential SSID; the exceptions are documented; the escape hatches into WPA3-only and into a dedicated IoT WPA2-only SSID are both available.