[stonepresto]

I agree WPS is a disaster.

My approach is just setting proper firewall rules on a dedicated ESSID with a dedicated VLAN. A device on a restricted VLAN shouldn't be able talk to anything. The downside is its more work, but the plus side is it can be done on trusted firmware (OpenWRT) and not something that would require an entire code audit to determine if there are any logic flaws.

[amluto]

This doesn’t isolate the devices from each other, though. (Well, maybe if you have isolation set up on the AP and the devices are all connected to the same radio or isolation happens to work across radios and no one exploits any of the myriad ways in which Ethernet, on the same broadcast domain, is not a secure protocol.)