TL;DR: Smart device security still comes down to three basics, strong unique credentials, multifactor authentication, and current software, even as connected devices reached roughly 21 billion in 2025 and are projected to reach 39 billion by 2030, according to IoT Analytics. The real governance problem is scale: every new device adds another identity surface that must be managed consistently.
At a glance
What this is: This is a practical guide to securing smart devices, and its key finding is that basic credential hygiene, MFA, and software updates remain the most effective controls.
Why it matters: It matters to IAM practitioners because every connected device becomes another identity to govern, and weak consumer-style practices can bleed into broader human, NHI, and access hygiene.
By the numbers:
- Connected Internet of Things (IoT) devices reached roughly 21 billion worldwide in 2025 and are projected to hit around 39 billion by 2030.
👉 Read Bitwarden's smart device security guidance for stronger credentials, MFA, and updates
Context
Smart device security is really identity security for consumer and workplace-connected devices. Once a thermostat, camera, ring, or assistant has an account, a password, and network access, it joins the same governance problem space as other internet-connected identities: access, authentication, and update hygiene.
The article argues that most risk is still concentrated in avoidable basics rather than exotic exploitation. That makes the topic relevant to IAM teams because weak credential discipline, absent multifactor authentication, and stale software are the same failure patterns that show up across human identity, non-human identity, and device ecosystems.
Secret sprawl and default access are the common failure mode: the issue is not that smart devices are uniquely complex, but that they are often deployed with credentials and settings that were never tightened after installation. That is a familiar identity governance problem, not a niche IoT problem.
Key questions
Q: How should teams secure smart devices that use companion apps and remote access?
A: Treat the device and its companion app as one identity surface. Use unique credentials, enable MFA, restrict remote administration, and keep firmware current. If the device cannot support those controls, remove it from trusted access paths. The key is to reduce both account reuse and network reach, because either one can turn a simple device into a persistent foothold.
Q: Why do reused passwords make smart devices harder to govern?
A: Reused passwords collapse multiple device accounts into a single failure point. If one credential leaks, every device sharing it becomes vulnerable, which defeats local containment and complicates offboarding. Governance gets harder because you can no longer prove that access is unique to one asset or one owner. Unique credentials are the minimum control that keeps device identity boundaries meaningful.
Q: What signals show that smart devices are outside acceptable security control?
A: Look for default logins still active, no MFA on remote access, stale firmware, and devices whose support has ended. Those are signs that the device is operating on residual trust rather than current assurance. When those signals appear together, the device should be treated as a governance exception and removed from sensitive network paths.
Q: Who should be accountable for smart device security in an organisation?
A: Accountability should sit with the team that owns the asset lifecycle, not just the team that purchased it. Facilities, IT, security, and identity teams may all have a role, but one owner must be responsible for credentials, updates, and retirement. Without clear ownership, device security becomes everyone’s problem and nobody’s control.
Technical breakdown
Default credentials and shared passwords create the first breach path
Smart devices often ship with factory credentials or simple local login flows that are easy to overlook during setup. If those defaults remain in place, the device identity is effectively public-facing, and if the same password is reused across devices, a single compromise can unlock multiple systems. This is the same structural weakness that made Mirai so effective: attackers do not need sophistication when authentication is predictable and repeated. The operational issue is not just weak passwords, but unmanaged credential lifecycle across many small endpoints.
Practical implication: inventory every connected device account, remove defaults at onboarding, and enforce unique credential assignment at deployment.
MFA raises the bar for consumer and admin access
Multifactor authentication adds a second verification step after the password, usually through an authenticator app or code-based challenge. For smart devices, that second factor matters most when the device account controls alerts, video feeds, remote unlocking, or settings that affect other users. SMS-based codes are better than nothing, but app-based codes are stronger because they reduce interception risk. MFA does not eliminate poor password practices, but it does convert a single credential into a less reusable one and narrows the blast radius of leaked passwords.
Practical implication: enable app-based MFA wherever the device or companion app supports it, especially for remote access and administrative settings.
Firmware updates are the hidden control plane
Smart device security depends on the software layer as much as the login layer. Firmware and companion app updates close known vulnerabilities, fix authentication defects, and sometimes remove insecure defaults that older versions still carry. When vendors stop supporting a device, the security model changes because patching stops being a control and becomes a residual risk. In practice, update cadence is part of access governance: a device that cannot be patched reliably should not stay on a trusted network segment indefinitely.
Practical implication: turn on automatic updates where possible, and replace unsupported devices before they become permanent exposure points.
Threat narrative
Attacker objective: The attacker wants durable access to smart devices and the data or network trust they expose.
- entry: Attackers commonly begin with default usernames, reused passwords, or exposed device login surfaces that were never hardened after installation.
- escalation: Once inside, they can take over device settings, monitor data, or pivot through companion apps and shared network access into broader home or office systems.
- impact: The final objective is to hijack device functionality, harvest personal data, or use the device as a foothold for wider attacks and botnet activity.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Smart device security is an identity hygiene problem, not a gadget problem. The article correctly lands on credentials, MFA, and patching because those three controls govern whether a device behaves as a trusted identity or an open door. In practice, smart devices fail the same way many service identities fail: defaults persist, reuse spreads, and update discipline is inconsistent. Practitioners should treat every connected device as an account with a lifecycle, not just a piece of hardware.
Default access is the most dangerous assumption in consumer device security. These devices are often introduced with vendor-managed onboarding and then left untouched, which creates a standing-access pattern that security teams know well from NHI governance. The named concept here is credential persistence debt: the longer a default or reused credential remains active, the more it compounds across devices, users, and networks. The implication is that onboarding is only the first control point, not the end of governance.
MFA improves resilience, but it does not compensate for weak identity design. If a device account is shared, poorly inventoried, or tied to an unsupported product, MFA becomes a narrow barrier rather than a governance control. That is why identity teams should think in terms of account ownership, recovery paths, and offboarding for connected devices. The practical conclusion is that authentication strength and lifecycle discipline have to move together.
Unsupported firmware creates a governance gap that outlives the original purchase decision. Once a device stops receiving updates, the organization or household is forced to rely on residual trust instead of current assurance. That is the same pattern seen in many NHI and machine-identity failures: the asset remains in use after the control plane has stopped protecting it. Practitioners should regard end-of-support as a security event, not a procurement footnote.
From our research:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Only 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% at no or low visibility and 47% at only partial visibility.
- That visibility gap is why readers should also review Ultimate Guide to NHIs - Static vs Dynamic Secrets for a broader view of credential and access control.
What this signals
Credential persistence debt: smart device risk grows when defaults, reused passwords, and long-lived access are left in place after onboarding. That pattern is familiar across NHI governance too, which is why the same operational discipline that protects service accounts should also govern connected household and office devices.
With 88.5% of organisations saying their non-human IAM practices lag behind or only match human IAM, per the 2024 Non-Human Identity Security Report, the real issue is not device type but control consistency. If identity programmes cannot keep pace with machine identities, consumer IoT devices will rarely be better governed by accident.
The practical next step is to fold smart devices into asset, identity, and offboarding processes instead of treating them as isolated endpoints. That means credential ownership, update support, and retirement criteria must be visible before the device is allowed onto a trusted network.
For practitioners
- Replace factory credentials at first use Assign a unique password or passphrase to every smart device during onboarding and prohibit shared credentials across devices or locations.
- Turn on app-based multifactor authentication Enable MFA in the companion app or device portal, and prefer authenticator-app codes over SMS when both options exist.
- Track device update support status Maintain an inventory that includes firmware version, auto-update status, and vendor support end dates so unsupported devices can be removed or replaced.
- Separate smart devices from trusted identity zones Place consumer and IoT devices on segmented networks with restricted access to user accounts, admin consoles, and sensitive systems.
Key takeaways
- Smart devices become governance risks when default credentials, weak authentication, and stale firmware are left unmanaged.
- The scale of connected devices keeps expanding, which means every additional device increases the number of identities that must be protected.
- Security teams should treat device onboarding, MFA, patching, and retirement as one lifecycle, not four unrelated tasks.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Default and reused credentials are a core NHI control failure pattern. |
| NIST CSF 2.0 | PR.AC-1 | Access control and authentication discipline map directly to smart device account governance. |
| NIST Zero Trust (SP 800-207) | AC-4 | Segmenting device access reduces blast radius when IoT endpoints are compromised. |
Inventory device credentials, remove defaults, and rotate or replace shared secrets immediately.
Key terms
- Smart Device Identity: A smart device identity is the account, credential, or trust relationship that lets an internet-connected device authenticate and act on a network. For governance purposes, it should be managed like any other access-bearing identity, with ownership, monitoring, and retirement controls.
- Credential Reuse: Credential reuse happens when the same password or secret is used across multiple devices or services. It weakens containment because a single exposure can compromise several identities at once, turning one mistake into a broader access problem.
- Firmware Support Lifecycle: Firmware support lifecycle is the period during which a vendor provides updates, patches, and security fixes for a device. Once support ends, the device keeps working but loses the control plane that maintains its security posture, which changes its risk profile materially.
What's in the full article
Bitwarden's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step setup guidance for stronger credentials across common smart devices and companion apps
- Practical tips for enabling MFA where it is available in consumer device ecosystems
- Advice on keeping device software current and deciding when unsupported devices should be replaced
👉 The full Bitwarden post covers the practical setup steps for consumer and office-connected devices.
Deepen your knowledge
NHI governance, machine identity security, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org