What is WPS (WiFi Protected Setup)?
WPS (WiFi Protected Setup) lets devices connect to WiFi by pressing a button or entering a PIN instead of typing a password. Learn how WPS works, why it is a security risk, how to disable it, and what alternatives to use.
WPS (WiFi Protected Setup) is a network security feature found on most consumer routers that simplifies the process of connecting devices to a WiFi network. Instead of locating the network name, selecting it on the device, and typing a long password, WPS lets users connect by pressing a button or entering a short PIN. The Wi-Fi Alliance introduced WPS in 2006 with the goal of making secure WiFi accessible to non-technical users who might otherwise leave their networks unprotected.
The intention was sound, but the execution introduced a serious security flaw. In 2011, researcher Stefan Viehbock published a paper demonstrating that the WPS PIN method could be brute-forced in a matter of hours. This vulnerability affects nearly every router that implements WPS with PIN authentication, and it cannot be fixed with a simple firmware update because the flaw is in the protocol design itself.
How WPS Push-Button Works
The push-button method (PBC) is the simplest form of WPS. The router has a physical WPS button on its casing. When you want to connect a device, you press the router’s WPS button, which opens a two-minute enrollment window. During this window, you initiate a WPS connection on the device (either by pressing a WPS button on the device itself or selecting “Connect via WPS” in its WiFi settings).
The router and device perform a key exchange during this window. The router sends the network credentials (SSID and password) to the device over an encrypted channel. The device stores these credentials and connects to the network normally from that point forward. The entire process takes about 10 seconds.
Push-button WPS is reasonably secure in practice because an attacker would need physical access to the router to press the button. The two-minute window limits the exposure time. The risk is primarily that someone in your home or office could press the button and connect an unauthorized device without your knowledge.
Some routers implement a virtual WPS button in the admin panel instead of (or in addition to) the physical button. This provides the same functionality but can be triggered from a web browser by anyone logged into the router admin interface.
How WPS PIN Works
The PIN method uses an eight-digit number instead of a button press. There are two variations: the router generates a PIN that you enter on the connecting device, or the device generates a PIN that you enter in the router’s admin panel.
The router’s WPS PIN is often printed on a sticker on the bottom of the unit, alongside the default WiFi password and admin credentials. Some routers display it in the admin panel. The PIN remains constant unless you manually regenerate it.
When connecting via PIN, the device sends the PIN to the router. The router validates the PIN and, if correct, sends the network credentials to the device. The device then connects normally.
This is where the security problem lives. The PIN validation process is broken by design.
Why WPS PIN is a Security Risk
The WPS PIN vulnerability was disclosed by Stefan Viehbock in December 2011 and independently by Craig Heffner around the same time. The flaw is in how the router validates the eight-digit PIN.
An eight-digit number has 100 million possible combinations (10^8). Brute-forcing that many combinations would take years. However, the WPS protocol validates the PIN in two halves. The router first checks the first four digits. If they are wrong, it returns an error immediately. Only if the first four digits are correct does it check the second half.
This design flaw reduces the search space dramatically. The first half has 10,000 possibilities (10^4). The second half has only 1,000 effective possibilities because the eighth digit is a checksum calculated from the first seven. The total number of guesses needed drops from 100 million to approximately 11,000.
At one guess per second (a conservative rate), 11,000 guesses takes about three hours. In practice, attacks using tools like Reaver or Bully can recover the WPS PIN within 2 to 10 hours depending on the router’s response time. Once the PIN is known, the attacker retrieves the full WiFi password regardless of how long or complex it is.
Some router manufacturers added rate-limiting (locking WPS after several failed attempts) as a mitigation. However, these lockouts are often temporary (resetting after a few minutes) and can be bypassed in some firmware implementations. The fundamental protocol flaw remains.
How to Disable WPS
Disabling WPS is one of the most important security steps you can take on your home network. The process varies by router brand but follows a similar pattern.
- Log into your router’s admin panel (typically at 192.168.1.1 or 192.168.0.1).
- Go to the wireless security or WiFi settings section.
- Look for a WPS option. It may be under “Advanced Wireless Settings” or “WPS” as its own section.
- Set WPS to Disabled, Off, or toggle the switch.
- Save the settings and reboot the router if prompted.
Some routers let you disable the PIN method while keeping push-button WPS active. This is an acceptable compromise because the push-button method is not vulnerable to the same brute-force attack. If your router offers this granular control, disable PIN-based WPS specifically.
After disabling WPS, verify it is actually off. Some routers have been found to continue responding to WPS PIN requests even when the feature appears disabled in the admin panel. You can test this using network scanning tools like Wash (part of the Reaver suite), which identifies routers with active WPS.
Alternatives to WPS
WPS was designed to solve a real problem: entering long WiFi passwords is tedious, especially on devices with no keyboard. Several better alternatives exist today.
QR codes are the simplest replacement. Generate a QR code containing your WiFi network name and password. When a guest or new device needs to connect, they scan the QR code with their phone’s camera. Android and iOS both support WiFi QR code scanning natively. You can print the QR code and place it in your home for easy access.
Wi-Fi Easy Connect (DPP) is the WPA3-era replacement for WPS. It uses QR codes, NFC, or Bluetooth to securely provision devices onto the network. Unlike WPS, Easy Connect uses public key cryptography and does not have the brute-force vulnerability. WPA3-certified routers and devices support Easy Connect.
Near Field Communication (NFC) allows some devices to connect by tapping them against the router. The range is limited to a few centimetres, which provides physical security similar to WPS push-button but with a more modern approach.
Password managers and sharing features on smartphones allow you to share your WiFi password directly with nearby contacts. Apple devices share WiFi credentials with other Apple devices automatically when they detect a connection attempt. Android offers similar sharing through the Google ecosystem.
All of these alternatives are more secure than WPS PIN and more convenient than WPS in most scenarios. The WPS protocol is a legacy feature that has no place on a properly secured modern network.
Frequently Asked Questions
Should I disable WPS on my router?
Yes. The PIN-based WPS method has a known vulnerability that cannot be patched without fundamentally redesigning the protocol. Some routers disable only the PIN method while keeping push-button WPS active. If your router allows this, disable the PIN and keep the button if you find it useful. If the router only offers an all-or-nothing toggle, disable WPS entirely.
What is the WPS button on my router?
The WPS button is a physical button on the router (often labelled WPS or marked with two arrows forming a circle) that temporarily allows any WPS-capable device to join the network without entering a password. Pressing it opens a two-minute window during which a device can connect by also pressing its WPS button or selecting WPS in its WiFi settings.
Can WPS be hacked?
Yes. The WPS PIN method is vulnerable to a brute-force attack discovered in 2011. The eight-digit PIN is validated in two halves, reducing the number of guesses needed from 100 million to about 11,000. With freely available tools, an attacker can crack the PIN and gain network access within 2-10 hours. Some routers lack proper rate-limiting to slow these attacks.
How do I connect a device without WPS?
Simply select the WiFi network name (SSID) on the device and type the password. For devices without screens (like printers), use the manufacturer's mobile app or web setup interface to enter the WiFi credentials. QR codes generated from your WiFi password offer another passwordless connection method that is more secure than WPS.
Does WPS work with WPA3?
No. The Wi-Fi Alliance intentionally removed WPS from the WPA3 specification because of its known security weaknesses. WPA3-certified devices use other methods for easy setup, including Wi-Fi Easy Connect (DPP), which uses QR codes for secure device provisioning. If your router uses WPA3, WPS should not be available or needed.