Does WPA3 OWE mean the return of Evil Twins?
Short answer: No, they never left
OWE is not meant to replace PSK, it's meant to enhance open networks by encrypting them, but doesn't provide authentication. For that you still need a PSK or Enterprise configuration. As such, you have the same problem with "evil twins", aka MitMs, in WPA3 OWE networks as you have in unprotected networks.
OWE does not do authentification, "only" encryption. As such, it does not protect against evil-twin attacks. However, WPA3-certification does require Protected Management Frames, which makes it more difficult for an attacker to force a victim to disconnect.
Protection against evil-twin attacks requires the victim to authenticate the network it's connecting to, which requires either WPA3-Personal or WPA3-Enterprise.
Note: WPA3-Personal (and IIRC WPA3-Enterprise but I'm not sure), unlike previous standards, does not use PSK exchange but instead uses SAE (Simultaneous Authentication of Equals)
Sources:
- https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#WPA3
- Others I do not recall
With WPA2 PSK (and some forms of Enterprise), I could tell whether the server also knew the right password, but that doesn't exist anymore.
Hold on, why does that not exist anymore?
In WPA2, if a password is known, a device will typically not connect to an open network with the same name. While I don't own a WPA3 device to test with, I would assume that it does the same: if it knows a key, an access point with the same name and OWE should not be considered a known access point.
Additionally, as Martin Sundhaug mentioned already, they fixed the deauthentication attack. The best an attacker can now do is jam the frequency which is not only harder, but in most places also more illegal than deauth attacks.
If there is no password (so OWE is used), I think it very likely that an evil twin attack will work. If the device would save and check the key, owners would have to somehow synchronise keys between their access points, even though it does not have a password set. They are probably, by design, not going to make it so complicated. If that is what you meant, I would not call it "the return of" the evil twin attack, but rather "nothing changed regarding the evil twin attack".