@@ -101,6 +101,20 @@ wifi:
101101 In case it fails, all networks are then tested one after the other in their declared order, starting with the first
102102 one in the list.
103103
104+ - **min_auth_mode** (*Optional*, string): Only on `esp32` and `esp8266`. Sets the minimum WiFi authentication mode
105+ that the device will accept when connecting to access points. This controls the weakest encryption your device will
106+ allow. Possible values are :
107+
108+ - ` WPA` - Allows WPA, WPA2, and WPA3 networks (least secure, uses TKIP encryption with known vulnerabilities)
109+ - ` WPA2` - Allows WPA2 and WPA3 networks (recommended, uses AES encryption)
110+ - ` WPA3` - Only allows WPA3 networks (most secure, ESP32 only)
111+
112+ Defaults to `WPA2` on ESP32 and `WPA` on ESP8266 (will change to `WPA2` in 2026.6.0).
113+
114+ **Security Warning:** Setting `min_auth_mode: WPA` allows connection to networks using deprecated WPA/TKIP encryption,
115+ which has known security vulnerabilities. Only use this setting for legacy routers that cannot be upgraded to WPA2 or WPA3.
116+ If your router supports WPA2 or newer, use the default `WPA2` setting for better security.
117+
104118- **passive_scan** (*Optional*, boolean): If enabled, then the device will perform WiFi scans in a passive fashion.
105119 Defaults to `false`.
106120
@@ -202,6 +216,41 @@ wifi:
202216 power_save_mode: none
203217` ` `
204218
219+ {{< anchor "wifi-min_auth_mode" >}}
220+
221+ # # WiFi Authentication Mode
222+
223+ The `min_auth_mode` option allows you to control the minimum WiFi security standard your device will accept.
224+ This is useful for ensuring your device only connects to secure networks, or for maintaining compatibility with
225+ legacy routers that only support older encryption standards.
226+
227+ # ## Example: Maximum Security (WPA2 or newer)
228+
229+ ` ` ` yaml
230+ wifi:
231+ ssid: MyHomeNetwork
232+ password: VerySafePassword
233+ min_auth_mode: WPA2 # Reject WPA-only networks
234+ ` ` `
235+
236+ # ## Example: Legacy Router Support (WPA allowed)
237+
238+ ` ` ` yaml
239+ wifi:
240+ ssid: OldRouter
241+ password: VerySafePassword
242+ min_auth_mode: WPA # Allow connection to WPA-only routers (less secure)
243+ ` ` `
244+
245+ # ## Example: Modern Security (WPA3 only, ESP32 only)
246+
247+ ` ` ` yaml
248+ wifi:
249+ ssid: ModernRouter
250+ password: VerySafePassword
251+ min_auth_mode: WPA3 # Only connect to WPA3 networks (most secure)
252+ ` ` `
253+
205254{{< anchor "wifi-networks" >}}
206255
207256# # Connecting to Multiple Networks
@@ -248,8 +297,9 @@ wifi:
248297- **hidden** (*Optional*, boolean): Whether this network is hidden. Defaults to false.
249298 If you add this option you also have to specify ssid.
250299
251- - **priority** (*Optional*, float): The priority of this network. After each time, the network with
252- the highest priority is chosen. If the connection fails, the priority is decreased by one.
300+ - **priority** (*Optional*, int): The priority of this network (range: -128 to 127). The network with
301+ the highest priority is chosen. After each connection failure, the priority is decreased by one.
302+ If all tracked BSSIDs have identical priorities, they are automatically reset to 0 to start fresh.
253303 Defaults to `0`.
254304
255305{{< anchor "eap" >}}
0 commit comments