scriptingxss
commented
3 years ago WPS is a known insecure pairing protocol that is relevant to consumer IoT but should never be used in an enterprise environment. WPS should not be part of secure device on boarding schemes for new devices or even disabled as a default.
We did brainstorm around zero touch provisioning and securely on boarding devices but it would require a hardware root of trust that cryptographically asserts its identity with additional flows that would be too complex for this standard.
WPS is super useful for non-tech people, they press a button and connect. I would rewrite "Verify that Wi-Fi Protected Setup (WPS) is not used to establish Wi-Fi connections between devices." to "can be deactivated" or to go even further: "is deactivated by default when physical access is a threat