Secure access to wireless networks
All Apple platforms support industry-standard Wi-Fi authentication and encryption protocols, to provide authenticated access and confidentiality when connecting to the following secure wireless networks:
WPA2 Personal
WPA2 Enterprise
WPA2/WPA3 Transitional
WPA3 Personal
WPA3 Enterprise
WPA3 Enterprise 192-bit security
WPA2 and WPA3 authenticate each connection and provide 128-bit AES encryption to help ensure confidentiality of data sent over the air. This grants users the highest level of assurance that their data remains protected when they’re sending and receiving communications over a Wi-Fi network connection.
WPA3 support
WPA3 is supported on the following Apple devices:
iPhone 7 or later
iPad 5th generation or later
Apple TV 4K or later
Apple Watch series 3 or later
Mac computers (late 2013 or later, with 802.11ac or later)
Newer devices support authentication with WPA3 Enterprise 192-bit security, which includes support for 256-bit AES encryption when connecting to compatible wireless access points (APs). This encryption provides even stronger confidentiality protections for traffic sent over the air. WPA3 Enterprise 192-bit security is supported in all iPhone 11 models or later, all iPad models starting with the iPad 7th generation, and all Mac computers with Apple silicon.
PMF support
In addition to protecting data sent over the air, Apple platforms extend WPA2 and WPA3 level protections to unicast and multicast management frames through the Protected Management Frame (PMF) service defined in 802.11w. PMF support is available on the following Apple devices:
iPhone 6 or later
iPad Air 2 or later
Apple TV HD or later
Apple Watch series 3 or later
Mac computers (late 2013 or later, with 802.11ac or later)
With support for 802.1X, Apple devices can be integrated into a broad range of RADIUS authentication environments. 802.1X wireless authentication methods supported include EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM, PEAPv0, and PEAPv1.
Platform protections
Apple operating systems protect the device from vulnerabilities in network processor firmware. This means that network controllers with Wi-Fi have limited access to Application Processor memory.
When USB or SDIO (Secure Digital Input Output) is used to interface with the network processor, the network processor can’t initiate direct memory access (DMA) transactions to the Application Processor.
When PCIe is used, each network processor is on its own isolated PCIe bus. An Input/Output Memory Management Unit (IOMMU) on each PCIe bus further limits the network processor’s DMA access to only memory and resources containing its network packets and control structures.
Deprecated protocols
Apple products support the following deprecated Wi-Fi authentication and encryption protocols:
WEP Open, with both 40-bit and 104-bit keys
WEP Shared, with both 40-bit and 104-bit keys
Dynamic WEP
Temporal Key Integrity Protocol (TKIP)
WPA
WPA/WPA2 Transitional
These protocols are no longer considered secure, and their use is strongly discouraged for compatibility, reliability, performance, and security reasons. They are supported for backward compatibility purposes only and may be removed in future software versions.
It’s recommended that all Wi-Fi implementations be migrated to WPA3 Personal or WPA3 Enterprise, to provide the most robust, secure, and compatible Wi-Fi connections possible.