WiFi Protected Setup
WiFi Protected Setup (WPS) is a network security standard introduced in 2006, designed to make it easier to connect devices to a WiFi network without manually entering the SSID and passphrase. It works via two mechanisms: a push button on the router, or an eight-digit PIN.
The push button method is relatively benign. Press the button on the router and press the WPS button on the device within two minutes. They negotiate the connection automatically.
The PIN method is not benign. It has a fundamental design flaw: the eight-digit PIN is validated in two four-digit halves, which reduces the effective keyspace from 100,000,000 combinations to 11,000. A brute force attack can recover the PIN in a matter of hours. Once the PIN is known, an attacker has permanent access to the network passphrase regardless of how many times the passphrase is changed, because WPS will always reveal it.
This vulnerability was publicly disclosed in 2011 and has never been fixed because fixing it would require a new standard. Routers that shipped with WPS enabled in 2006 were still shipping with it enabled in 2019. Some routers implemented a lockout after repeated failed attempts; many did not.
The current position
WPS is disabled by default on UniFi devices and is not exposed through the UniFi Network application interface. There is no configuration path in UniFi to enable WPS. This is the correct decision.
The wireless page of this series explicitly recommends against enabling WPS and the configuration described there reflects that: no WPS, strong Diceware passphrases stored in KeePassXC.
The alternative
The inconvenience WPS was designed to solve, entering a long WiFi passphrase on devices with awkward input methods, is better addressed by:
QR code sharing: the UniFi mobile app and most modern phones can generate and scan a QR code that encodes the SSID and passphrase. Scanning it connects the device without typing. No security trade-off, no PIN vulnerability.
KeePassXC autofill: for devices with browsers, KeePassXC stores the passphrase and fills it when needed.
The passphrase itself: a five-word Diceware passphrase like timid bingle heath duck flow is both strong and typeable, even on a TV remote or a game console’s on-screen keyboard. It is not as convenient as a button press, but it is also not a security vulnerability that has been publicly exploitable for fifteen years.
Summary
WPS is off. It stays off. There is nothing to configure here.
If you are ever in a situation where a device refuses to connect without WPS enabled, that is useful information about that device’s security posture. Consider whether it belongs on a trusted VLAN or whether the IoT VLAN is a more appropriate home for it.