The WBA’s Wi-Fi Security Guidelines define a new industry framework designed to strengthen security, privacy and trust across Wi-Fi networks, including public, enterprise, IoT and roaming environments.
With Wi-Fi critical to digital services, inconsistent security can expose users and operators to threats like rogue access points, credential theft, and privacy breaches, this guidelines will help organizations reduce exposure to common Wi-Fi threats, improve user trust, and simplify interoperability across networks and partners. For operators and enterprises, this results in more predictable security outcomes and greater confidence when deploying or scaling Wi-Fi services.
The guidelines address the growing need for carrier-grade security that aligns with user expectations. Built on widely deployed technologies including OpenRoaming™ and Passpoint®, the report sets out a clear, standards-based framework for securing Wi-Fi end-to-end, from device authentication through to physical and backhaul security, Layer-2 protection, RadSec adoption, federation governance and readiness for post-quantum cryptography.
The guidelines on securing Wi-Fi networks are designed to:
- Prevent connections to rogue and fake networks: Mandates mutual authentication using 802.1X and strong EAP, requiring devices to validate network certificates before sharing credentials, reducing evil-twin and rogue AP attacks.
- Protect data over the air: Enforces WPA2/WPA3-Enterprise with AES encryption and Protected Management Frames (PMF), safeguarding traffic against sniffing, deauthentication, and man-in-the-middle attacks.
- Preserve user identity privacy without breaking compliance: Uses anonymous identities, encrypted inner identities, pseudonyms, and Chargeable-User-Identity (CUI) to protect personal data while allowing lawful intercept, billing, and incident handling.
- Secure credentials end-to-end: Requires secure OS key stores, hardened credential storage, and tamper-resistant SIM/USIMs, reducing large-scale credential theft.
- Harden the entire access network: Provides guidance on physical security, encrypted AP-to-controller links, secure backhaul, and local breakout architectures, protecting traffic across the full network path.
- Secure AAA and roaming signaling: Recommends RADIUS over TLS or DTLS for all AAA and roaming exchanges, protecting authentication and accounting traffic and aligning with OpenRoaming and WRIX.
- Add Layer-2 protections against lateral attacks: Promotes traffic inspection, client isolation, proxy ARP, and multicast/broadcast controls to limit client-to-client attacks.
- Enforce security through federation and governance: Uses OpenRoaming and WRIX frameworks to consistently apply security requirements, responsibilities, and privacy obligations across operators, identity providers, and hubs.
Interested in joining?
For current WBA Members: Contact the WBA to register your interest in the next trial phase. https://wballiance.com/engage-with-wba/
For organizations not yet part of WBA: Contact WBA Membership at membership@wballiance.com to learn how to join and participate in upcoming programs.
Download other publications, visit the WBA Resource Centre.
This whitepaper is brought to you by: WBA Roaming Work Group.
To participate and learn more about WBA coming projects, contact WBA PMO.
