The advanced protocol, certified through Wi-Fi Alliance's WPA2 program, implements the mandatory elements of 802.11i. In particular, it introduces a new AES-based algorithm, CCMP, that is considered fully secure. From March 13, 2006, WPA2 certification is mandatory for all new devices wishing to be certified by the Wi-Fi Alliance as "Wi-Fi CERTIFIED."
Security is strengthened by employing a PBKDF2 key derivation function. However, the weak passphrases users may typically employ are vulnerable to password cracking attacks. To protect against a brute force attack, a truly random passphrase of 13 characters (selected from the set of 95 permitted characters) is probably sufficient. Rainbow tables have been computed by the Church of WiFi for the top 1000 SSIDs for a million different WPA/WPA2 passphrases. To further protect against intrusion the network's SSID should not match any entry in the top 1000 SSIDs.
Some consumer chip manufacturers have attempted to bypass weak passphrase choice by adding a method of automatically generating and distributing strong keys through a software or hardware interface that uses an external method of adding a new wireless adapter or appliance to a network. These methods include pushing a button (Broadcom SecureEasySetup and Buffalo AirStation One-Touch Secure System) and entering a short challenge phrase through software (Atheros JumpStart and ZyXEL OTIST). The Wi-Fi Alliance has standardized these methods and certifies compliance with these standards through a program called Wi-Fi Protected Setup (formerly Simple Config).
The EAP types now included in the certification program are:
Other EAP types may be supported by 802.1X clients and servers developed by specific firms. This certification is an attempt for popular EAP types to interoperate; their failure to do so is currently one of the major issues preventing rollout of 802.1X on heterogeneous networks.
Most newer Wi-Fi CERTIFIED devices support the security protocols discussed above, out-of-the-box, as compliance with this protocol has been required for a Wi-Fi certification since September 2003.
The protocol certified through Wi-Fi Alliance's WPA program (and to a lesser extent WPA2) was specifically designed to also work with wireless hardware that was produced prior to the introduction of the protocol which usually had only supported inadequate security through WEP. Many of these devices support the security protocol after a firmware upgrade. Firmware upgrades are not available for all legacy devices.