diff --git a/components/protocomm/include/transports/protocomm_ble.h b/components/protocomm/include/transports/protocomm_ble.h
index f899f95b18..2447c1c5d2 100644
--- a/components/protocomm/include/transports/protocomm_ble.h
+++ b/components/protocomm/include/transports/protocomm_ble.h
@@ -82,6 +82,9 @@ typedef struct protocomm_ble_config {
     /* BLE bonding */
     unsigned ble_bonding:1;
 
+    /* BLE security flag */
+    unsigned ble_sm_sc:1;
+
 } protocomm_ble_config_t;
 
 /**
diff --git a/components/protocomm/src/simple_ble/simple_ble.c b/components/protocomm/src/simple_ble/simple_ble.c
index c6db16a9f8..6ea752c9bc 100644
--- a/components/protocomm/src/simple_ble/simple_ble.c
+++ b/components/protocomm/src/simple_ble/simple_ble.c
@@ -269,11 +269,12 @@ esp_err_t simple_ble_start(simple_ble_cfg_t *cfg)
     ESP_LOGD(TAG, "Free mem at end of simple_ble_init %d", esp_get_free_heap_size());
 
     /* set the security iocap & auth_req & key size & init key response key parameters to the stack*/
-    esp_ble_auth_req_t auth_req;
+    esp_ble_auth_req_t auth_req= ESP_LE_AUTH_REQ_MITM;
     if (cfg->ble_bonding) {
-	auth_req = ESP_LE_AUTH_REQ_SC_MITM_BOND;     //bonding with peer device after authentication
-    } else {
-	auth_req = ESP_LE_AUTH_REQ_SC_MITM;
+	auth_req |= ESP_LE_AUTH_BOND;     //bonding with peer device after authentication
+    }
+    if (cfg->ble_sm_sc) {
+	auth_req |= ESP_LE_AUTH_REQ_SC_ONLY;
     }
     esp_ble_io_cap_t iocap = ESP_IO_CAP_NONE;           //set the IO capability to No output No input
     uint8_t key_size = 16;      //the key size should be 7~16 bytes
diff --git a/components/protocomm/src/simple_ble/simple_ble.h b/components/protocomm/src/simple_ble/simple_ble.h
index 458fc52b36..ebe69438ac 100644
--- a/components/protocomm/src/simple_ble/simple_ble.h
+++ b/components/protocomm/src/simple_ble/simple_ble.h
@@ -49,8 +49,10 @@ typedef struct {
     simple_ble_cb_t *connect_fn;
     /** MTU set callback */
     simple_ble_cb_t *set_mtu_fn;
-    /* BLE bonding */
-     unsigned ble_bonding:1;
+    /** BLE bonding */
+    unsigned ble_bonding:1;
+    /** BLE Secure Connection flag */
+    unsigned ble_sm_sc:1;
 } simple_ble_cfg_t;
 
 
diff --git a/components/protocomm/src/transports/protocomm_ble.c b/components/protocomm/src/transports/protocomm_ble.c
index 2a2c892307..e619e5621b 100644
--- a/components/protocomm/src/transports/protocomm_ble.c
+++ b/components/protocomm/src/transports/protocomm_ble.c
@@ -647,6 +647,7 @@ esp_err_t protocomm_ble_start(protocomm_t *pc, const protocomm_ble_config_t *con
     ble_config->gatt_db_count   = populate_gatt_db(&ble_config->gatt_db);
 
     ble_config->ble_bonding = config->ble_bonding;
+    ble_config->ble_sm_sc   = config->ble_sm_sc;
 
     if (ble_config->gatt_db_count == -1) {
         ESP_LOGE(TAG, "Invalid GATT database count");
diff --git a/components/protocomm/src/transports/protocomm_nimble.c b/components/protocomm/src/transports/protocomm_nimble.c
index 6bac49df39..f0367c4ba5 100644
--- a/components/protocomm/src/transports/protocomm_nimble.c
+++ b/components/protocomm/src/transports/protocomm_nimble.c
@@ -121,8 +121,10 @@ typedef struct {
     simple_ble_cb_t *connect_fn;
     /** MTU set callback */
     simple_ble_cb_t *set_mtu_fn;
-    /* BLE bonding */
-     unsigned ble_bonding:1;
+    /** BLE bonding */
+    unsigned ble_bonding:1;
+    /** BLE Secure Connection flag */
+    unsigned ble_sm_sc:1;
 } simple_ble_cfg_t;
 
 static simple_ble_cfg_t *ble_cfg_p;
@@ -492,7 +494,7 @@ static int simple_ble_start(const simple_ble_cfg_t *cfg)
     ble_hs_cfg.sm_io_cap = BLE_SM_IO_CAP_NO_IO; /* Just Works */
     ble_hs_cfg.sm_bonding = cfg->ble_bonding;
     ble_hs_cfg.sm_mitm = 1;
-    ble_hs_cfg.sm_sc = 1; /* Enable secure connection by default */
+    ble_hs_cfg.sm_sc = cfg->ble_sm_sc;
 
     /* Distribute LTK and IRK */
     ble_hs_cfg.sm_our_key_dist = BLE_SM_PAIR_KEY_DIST_ENC | BLE_SM_PAIR_KEY_DIST_ID;
@@ -636,9 +638,13 @@ ble_gatt_add_characteristics(struct ble_gatt_chr_def *characteristics, int idx)
     memcpy(&temp_uuid128_name.value[12], &protoble_internal->g_nu_lookup[idx].uuid, 2);
 
     (characteristics + idx)->flags = BLE_GATT_CHR_F_READ |
-                                     BLE_GATT_CHR_F_WRITE |
-                                     BLE_GATT_CHR_F_READ_ENC |
-                                     BLE_GATT_CHR_F_WRITE_ENC;
+                                     BLE_GATT_CHR_F_WRITE ;
+
+#if defined(CONFIG_WIFI_PROV_BLE_FORCE_ENCRYPTION)
+    (characteristics + idx)->flags |= BLE_GATT_CHR_F_READ_ENC |
+                                      BLE_GATT_CHR_F_WRITE_ENC;
+#endif
+
     (characteristics + idx)->access_cb = gatt_svr_chr_access;
 
     /* Out of 128 bit UUID, 16 bits from g_nu_lookup table. Currently
@@ -909,6 +915,7 @@ esp_err_t protocomm_ble_start(protocomm_t *pc, const protocomm_ble_config_t *con
 
     ble_config->device_name     = protocomm_ble_device_name;
     ble_config->ble_bonding     = config->ble_bonding;
+    ble_config->ble_sm_sc       = config->ble_sm_sc;
 
     if (populate_gatt_db(&ble_config->gatt_db, config) != 0) {
         ESP_LOGE(TAG, "Error populating GATT Database");
diff --git a/components/wifi_provisioning/Kconfig b/components/wifi_provisioning/Kconfig
index 0d37a9b820..bdc9e39c28 100644
--- a/components/wifi_provisioning/Kconfig
+++ b/components/wifi_provisioning/Kconfig
@@ -17,9 +17,26 @@ menu "Wi-Fi Provisioning Manager"
 
     config WIFI_PROV_BLE_BONDING
         bool
-        default n
         prompt "Enable BLE bonding"
         depends on BT_ENABLED
+        default y
         help
             This option is applicable only when provisioning transport is BLE.
+
+    config WIFI_PROV_BLE_SEC_CONN
+        bool
+        prompt "Enable BLE Secure connection flag"
+        depends on  BT_NIMBLE_ENABLED
+        default y
+        help
+            Used to enable Secure connection support when provisioning transport is BLE.
+
+    config WIFI_PROV_BLE_FORCE_ENCRYPTION
+        bool
+        prompt "Force Link Encryption during characteristic Read / Write"
+        depends on BT_NIMBLE_ENABLED
+        default y
+        help
+            Used to enforce link encryption when attempting to read / write characteristic
+
 endmenu
diff --git a/components/wifi_provisioning/src/scheme_ble.c b/components/wifi_provisioning/src/scheme_ble.c
index 147465ecf1..a133592f92 100644
--- a/components/wifi_provisioning/src/scheme_ble.c
+++ b/components/wifi_provisioning/src/scheme_ble.c
@@ -38,10 +38,14 @@ static esp_err_t prov_start(protocomm_t *pc, void *config)
 
     protocomm_ble_config_t *ble_config = (protocomm_ble_config_t *) config;
 
-    #ifdef CONFIG_WIFI_PROV_BLE_BONDING
+    #if defined(CONFIG_WIFI_PROV_BLE_BONDING)
    	ble_config->ble_bonding = 1;
     #endif
 
+    #if defined(CONFIG_WIFI_PROV_BLE_SEC_CONN) || defined(CONFIG_BT_BLUEDROID_ENABLED)
+        ble_config->ble_sm_sc = 1;
+    #endif
+
     /* Start protocomm as BLE service */
     if (protocomm_ble_start(pc, ble_config) != ESP_OK) {
         ESP_LOGE(TAG, "Failed to start protocomm BLE service");