Protected Management Frames (PMF)

What are Protected Management Frames?

Protected Management Frames, often called PMF or by its standard number 802.11w, is a WiFi security feature that encrypts the "control signals" your devices and access points exchange. These control signals handle things like connecting, disconnecting, and switching channels. Without PMF, those signals are sent in the open where anyone can see and forge them.

Imagine a building where anyone can walk in and pull the fire alarm. People would evacuate even though there is no real fire. That is essentially what happens on a WiFi network without PMF: an attacker can send fake "disconnect" signals, and your devices obey because they have no way to verify who sent the command.

Why it matters

Without PMF, an attacker nearby can send forged deauthentication frames to kick any device off your WiFi. This is not a theoretical risk; cheap tools that do this are widely available and require no special skills. Attackers use this technique to force devices to reconnect, which can expose credentials or create a denial-of-service situation where devices cannot stay connected.

PMF stops this by signing management frames with a key that only your access point and authenticated clients share. A fake disconnect command from an outsider will be rejected because it lacks the correct signature. If you use WPA3, PMF is already required by the standard. For WPA2 networks, enabling PMF (even in "optional" mode) adds meaningful protection at no performance cost.

What you can do

• Enable PMF on all SSIDs; most modern routers offer a setting labeled "Protected Management Frames," "PMF," or "802.11w"
• If your router gives you a choice between "Optional" and "Required," start with "Optional" so that older devices can still connect without PMF while newer devices get protection
• Switch to "Required" once you have confirmed that all your devices support it; any device made after roughly 2018 should work fine
• If you are running WPA3, PMF is already mandatory, so no extra action is needed
• Upgrade firmware on your access points, as some older firmware versions have incomplete PMF support
• If you notice a device cannot connect after enabling PMF, check for a driver or firmware update for that device before disabling PMF network-wide

What Network Weather shows you

Network Weather checks your access point configuration and reports whether Protected Management Frames are enabled. PMF is required for WPA3 and strongly recommended for WPA2 networks.