TL;DR: Matter security depends on three linked controls, device identity, firmware integrity, and operator-managed trust, because interoperability only works when every device can prove origin, authenticity, and software state, according to Keyfactor. The trust model extends beyond onboarding, making lifecycle certificate control and signed firmware the real governance boundary for OEMs, operators, and ecosystem partners.
NHIMG editorial — based on content published by Keyfactor: How Matter Builds Trust: Device Identity, Firmware Integrity, and the Role of Operators
By the numbers:
- Only 38% have automated certificate lifecycle management in place.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should organisations govern device identity across manufacturing and deployment?
A: They should treat manufacturing identity and operational identity as separate governance stages.
Q: Why do firmware signing and secure boot matter for device trust?
A: Because a trusted certificate is not enough if the device can later run altered code.
Q: What breaks when operator-controlled trust is not governed clearly?
A: Accountability breaks first, followed by revocation gaps and weak visibility.
Practitioner guidance
- Separate manufacturing identity from operational identity Model DAC issuance and NOC issuance as distinct governance flows with different owners, controls, and revocation paths.
- Harden firmware signing authority Store signing keys in HSMs or approved cloud key vaults, limit who can sign, and log every signing event so firmware provenance can be verified later.
- Define operator revocation responsibility Document which party can revoke, renew, or observe device certificates when the operator and OEM are different entities.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- How DAC issuance works across high-volume manufacturing environments and why automation matters
- How NOC provisioning and lifecycle management support distributed smart-home fabrics at scale
- How secure firmware signing is implemented through cryptographic hardware, policy enforcement, and audit trails
- How operators can act as fabric administrators across millions of connected households
👉 Read Keyfactor's analysis of Matter device identity and firmware integrity →
Matter device identity and firmware integrity: what IAM teams should know?
Explore further
Device identity is only useful when lifecycle governance survives the handoff from factory to fabric. Matter makes the difference between proof of origin and proof of ongoing trust explicit. DACs answer who made the device, while NOCs answer whether the device should still be trusted inside the operational environment. The field lesson is that onboarding identity without lifecycle governance creates a false sense of security, especially in large device populations.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How do identity teams apply certificate lifecycle discipline to connected devices?
A: They inventory all device certificates, define ownership for issuance and revocation, and review whether renewal and decommissioning are actually enforced. The same lifecycle discipline used for service accounts applies here, but device ecosystems add manufacturing, firmware, and operator handoff points that must be explicitly governed.
👉 Read our full editorial: Matter device identity and firmware integrity define smart-home trust