Wi-Fi Protected Setup (WPS) or Wi-Fi Simple Configure (WSC) is an optional certification program based on technology designed to ease the setup of security enabled Wi-Fi networks in home and small office environments. WPS supports methods (pushing a button or entering a PIN) that are familiar to most consumers to configure a network enable security [1].

Wi-Fi Protected Setup allows the owner of Wi-Fi privileges to block other users from using their household Wi-Fi.

Modes

The standard emphasizes usability and security, and allows four modes in a home network for adding a new device to the network:

PIN method

In which a PIN has to be read from either a sticker or display on the new wireless device. This PIN must then be entered at the "representant" of the network, usually the network's access point. Alternately, a PIN provided by the access point may be entered into the new device. This method is the mandatory baseline mode and everything must support it. The Wi-Fi Direct specification supersedes this requirement by stating that all devices with a keypad or display must support the PIN method.

Push button method

In which the user has to push a button, either an actual or virtual one, on both the access point and the new wireless client device. On most devices, this discovery mode turns itself off as soon as a connection is established or after a delay (typically 2 minutes or less), whichever comes first, thereby minimizing its vulnerability. Support of this mode is mandatory for access points and optional for connecting devices. The Wi-Fi Direct specification supersedes this requirement by stating that all devices must support the push button method.

Near-field communication method

In which the user has to bring the new client close to the access point to allow a near field communication between the devices. NFC Forum–compliant RFID tags can also be used. Support of this mode is optional.

USB method

In which the user uses a USB flash drive to transfer data between the new client device and the network's access point. Support of this mode is optional, but deprecated.

Technical architecture

The WPS protocol defines three types of devices in a network:

Registrar

A device with the authority to issue and revoke access to a network; it may be integrated into a wireless access point (AP), or provided as a separate device.

Enrollee

A client device seeking to join a wireless network.

AP

An access point functioning as a proxy between a registrar and an enrollee.

The WPS standard defines three basic scenarios that involve components listed above:

AP with integrated registrar capabilities configures an enrollee station (STA)

In this case, the session will run on the wireless medium as a series of EAP request/response messages, ending with the AP disassociating from the STA and waiting for the STA to reconnect with its new configuration (handed to it by the AP just before).

Registrar STA configures the AP as an enrollee

This case is subdivided in two aspects: first, the session could occur on either a wired or wireless medium, and second, the AP could already be configured by the time the registrar found it. In the case of a wired connection between the devices, the protocol runs over Universal Plug and Play (UPnP), and both devices will have to support UPnP for that purpose. When running over UPnP, a shortened version of the protocol is run (only two messages) as no authentication is required other than that of the joined wired medium. In the case of a wireless medium, the session of the protocol is very similar to the internal registrar scenario, but with opposite roles. As to the configuration state of the AP, the registrar is expected to ask the user whether to reconfigure the AP or keep its current settings, and can decide to reconfigure it even if the AP describes itself as configured. Multiple registrars should have the ability to connect to the AP. UPnP is intended to apply only to a wired medium, while actually it applies to any interface to which an IP connection can be set up. Thus, having manually set up a wireless connection, the UPnP can be used over it in the same manner as with the wired connection.

Registrar STA configures enrollee STA

In this case the AP stands in the middle and acts as an authenticator, meaning it only proxies the relevant messages from side to side.

Protocol

The WPS protocol consists of a series of EAP message exchanges that are triggered by a user action, relying on an exchange of descriptive information that should precede that user's action. The descriptive information is transferred through a new Information Element (IE) that is added to the beacon, probe response, and optionally to the probe request and association request/response messages. Other than purely informative type–length–values, those IEs will also hold the possible and the currently deployed configuration methods of the device. After this communication of the device capabilities from both ends, the user initiates the actual protocol session. The session consists of eight messages that are followed, in the case of a successful session, by a message to indicate that the protocol is completed. The exact stream of messages may change when configuring different kinds of devices (AP or STA), or when using different physical media (wired or wireless).

Band or radio selection

Some devices with dual-band wireless network connectivity do not allow the user to select the 2.4 GHz or 5 GHz band (or even a particular radio or SSID) when using Wi-Fi Protected Setup, unless the wireless access point has separate WPS button for each band or radio; however, a number of later wireless routers with multiple frequency bands and/or radios allow the establishment of a WPS session for a specific band and/or radio for connection with clients which cannot have the SSID or band (e.g., 2.4/5 GHz) explicitly selected by the user on the client for connection with WPS (e.g. pushing the 5 GHz, where supported, WPS button on the wireless router will force a client device to connect via WPS on only the 5 GHz band after a WPS session has been established by the client device which cannot explicitly allow the selection of wireless network and/or band for the WPS connection method).