Wireless Security

Enhanced Open and OWE: Encryption for Password-Free Wi-Fi

July 7, 2026 7 min read Haven Team

The Wi-Fi at the coffee shop has no password. For decades that has meant one thing at the radio layer: everything you send travels in the clear, readable by anyone within range running a packet sniffer. The convenience of walking up and connecting came bundled with the absence of encryption, as if the two had to go together. Opportunistic Wireless Encryption breaks that bundle. It keeps the no-password convenience and adds per-client encryption anyway.


To see what OWE fixes, start with what an open network actually is. When you join a Wi-Fi network with a password, your device and the access point run a handshake that produces unique encryption keys, so the data flying through the air is scrambled. An open network skips that handshake entirely. There is no shared secret to derive keys from, so the frames go out unencrypted. Anyone nearby with the right software can capture them, and on a busy network that means capturing everyone's.

The traditional answer was to tell people to use a VPN or to trust that HTTPS covers them. Both help, and you should still use transport encryption, but neither addresses the underlying fact that the wireless link itself is broadcasting in plaintext. OWE, standardized as RFC 8110 and certified by the Wi-Fi Alliance under the name Wi-Fi CERTIFIED Enhanced Open, encrypts that link even though no one typed a password.

How you get a key from nothing

The trick is that a password was never actually required to establish encryption. It was required to establish encryption plus authentication at the same time. OWE separates those. It uses a Diffie-Hellman key exchange when a device associates with the access point, so the two sides derive a shared secret over the air without any pre-shared password. From that secret they generate the same kind of per-session keys a password-protected network would, and the traffic is encrypted from then on.

The important property of a Diffie-Hellman exchange is that a passive eavesdropper who records the whole conversation still cannot compute the resulting key. Each client that joins gets its own independent exchange and therefore its own keys. One person on the network cannot decrypt another person's traffic, which is a sharp improvement over legacy open Wi-Fi where everyone shared the same absence of protection.

The one-line summary

OWE gives every device on an open network its own encrypted link with the access point, derived through Diffie-Hellman, with no password to enter. Passive sniffing of your traffic by others on the same network stops working.

The limit you have to understand: no authentication

Here is where honesty matters, because OWE solves one problem cleanly and leaves another untouched. It encrypts the link, but it does not authenticate the access point. Since there is no password and no certificate, your device has no way to confirm that the access point it just encrypted a session with is the real coffee-shop network rather than an impostor a few tables away.

That gap keeps the door open to an active attacker. Someone can stand up an evil twin, an access point that advertises the same network name, and if your device connects to it, the attacker sits in the middle of an encrypted-but-attacker-controlled link. The encryption is real, but it is encryption to the wrong party. OWE stops the casual passive eavesdropper. It does not, on its own, stop the attacker willing to run their own rogue access point and lure you onto it.

Wi-Fi mode Link encrypted? Access point authenticated?
Legacy open No No
Enhanced Open (OWE) Yes, per client No
WPA3-Personal (password) Yes, per client Shared secret proves both know the password

Where OWE fits, and transition mode

OWE arrived alongside WPA3 as part of the same generation of Wi-Fi security improvements, and it is aimed squarely at the networks that will never have a password: cafes, airports, hotels, libraries, public spaces. For those, the realistic comparison is not OWE versus a password network. It is OWE versus nothing, and against nothing it is a clear gain.

Because not every device supports Enhanced Open yet, the standard defines a transition mode that lets an access point offer both an OWE-protected network and a legacy open one under the same name, so older clients still connect while newer ones automatically get encryption. It smooths adoption, though it also means a device that silently falls back to the open version is back to plaintext, which is worth remembering when you rely on the encryption being there.

Enhanced Open removes the excuse that public Wi-Fi has to be unencrypted. It does not remove the need to verify who you are actually talking to, which is a job for the layers above the radio.

What to actually do about public Wi-Fi

OWE is a reason for cautious optimism, not a reason to relax. Treat it as one layer that removes the easiest attack against you on an open network while leaving the harder ones in place. The practical posture has not really changed.

The through-line connects to how good security is built in general. No single layer is the whole answer. OWE hardens the wireless hop, transport encryption hardens the path across the internet, and end-to-end encryption protects the message itself so that even a compromised network cannot read it. Haven's encryption lives at that top layer for exactly this reason: the safest assumption is that the network under you is hostile, and to make sure your content survives it anyway.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →