A credential provisioning technique is provided that is secure yet easy to administer. A credential provisioner such as a network AP is configured to leave a secure mode of operation and allow open authentication with a wireless supplicant. After open authentication is established, the wireless supplicant requests credential provisioning. In response, the credential provisioner supplies the supplicant with an encrypted password. To prevent unauthorized access, the supplicant again requests credential provisioning but also proves knowledge of the encrypted password. At least one credential is supplied to the wireless supplicant in response to the proof only if a waiting period expires with just one request for credential provisioning being received by the credential provisioner.