Secure WiFi With Per Device Passphrases

Per-device passphrases are unique WiFi passwords assigned to individual devices on your network. Unlike traditional WiFi setups where all devices share a single password, or where a separate SSID and passphrase is used for Guests, this technology allows for device-specific network access, creating a more secure and manageable environment.

SPR supports both WPA2 and WPA3 for per-device passphrases.

The Security Benefits of Per-Device Passphrases

Device-specific WiFi passwords offer a level of granular network access control that was previously unavailable in consumer-grade routers. This technology enables:

• Enhanced WiFi Security: By assigning unique passwords to each device, you significantly reduce the risk of unauthorized access if a password is shared.
• Device Isolation: Each device can be effectively isolated on the network, preventing lateral movement in case of a breach.
• Granular Access Control: Easily manage which devices can access specific network resources or the internet.
• Simplified BYOD Management: Perfect for both home and small business environments where multiple personal devices need secure access.
• IoT Device Security: Install your smart home devices without compromising your main network's integrity.

Single SSID: Reducing Beacon Noise for Enhanced WiFi Performance

In addition to the security benefits of per-device WiFi passwords and WPA3, using a single SSID also addresses a common issue in wireless networks: beacon noise. Access Points continually broadcast beacon frames containing network information, including the SSID. These beacons are essential for stations to connect to Access Points, but they can also contribute to network congestion, especially in environments with multiple SSIDs.

The Problem with Multiple SSIDs & Guest Networks

Traditional approaches to network segmentation often involve creating multiple SSIDs (e.g., one for guests, one for IoT devices, one for employees). While this seems logical for organization, it has drawbacks:

1. Increased Beacon Traffic: Until the MBSSID element was implemented with Wi-Fi 6 (802.11ax), each SSID required its own set of beacon frames, multiplying the amount of management traffic on your wireless network. For backwards compatibility multiple beacon frames may still be broadcast per SSID.
2. Reduced Airtime Efficiency: More beacons mean less airtime for actual data transmission, potentially slowing down your network.
3. Difficult or Weak Isolation Between Networks: It can be difficult to securely route to and from Guest Network devices from the Main Network and a router's implementation may not have strong isolation.

Key Features of Our Per-Device Passphrase Implementation:

By combining the power of per-device WiFi passwords, WPA3 encryption, and a single SSID approach, SPR not only enhances security but also optimizes network performance by reducing beacon noise. This holistic approach to wireless networking ensures that your WiFi is not just secure, but also efficient and user-friendly.

1. WPA3 Support: We're proud to be the first to offer WPA3 support for per-device passphrases. WPA3 provides stronger cryptographic properties than WPA2. Learn more about our WPA3 implementation.

2. Flexible Password Generation: Users can either generate random passwords or set their own, providing both convenience and control.

3. QR Codes Make It Easy: Randomly generated passwords can be hard to type. That's why SPR supports QR Codes for adding new devices.

4. Cryptographic Device Identity: Each password serves as a cryptographic secret, guaranteeing the identity of the device on the network. We only accept that specific password for the device's MAC address, which is then assigned to an IP address on the network. This allows the firewall to block MAC spoofing attempts.

5. Unlimited Devices: SPR supports an infinite number of passphrases and devices, with no artificial limits.

6. Secure Guest Access: Users can easily create temporary, single-use WiFi credentials for visitors without compromising their own network

7. iCloud Keychain Compatibility: We're fully compatible with iCloud Keychain, making it easy for Apple users to manage their devices. However, it's important to note that iCloud Keychain synchronizes passwords across devices, so Apple devices belonging to the same user should use the same password. See: How To Duplicate Devices. Users can also look up the WiFi password with their 2FA credential for SPR.

Using Per Device Passwords with SPR

See the Device Management Guide and WiFi Settings for details on getting started with Secure WiFi on SPR.

Additional Resources

• MBSSID
• 802.11b SSID Overhead Calculator
• Our Introduction of WPA3 Per Device Password support
• Breaking WPA3: Our Dragonfly CTF Challenge