Device Authentication

Most WiFi "things" have the following setup procedure:

1. They start in an access point mode.
2. You connect to the temporary access point and give it the network credentials to your home WiFi.
3. The device reboots and uses the credentials to connect to the WiFi  network.

The problem with that is in #2 you actually have no proof who you are giving the WiFi password to. It could be your bulb but it could be your neighbor or my rogue access point named "LIFX_WHITE_800". So you will give me your WiFi password, thinking you are giving it to the light bulb.

There is no authentication. You have no way to make sure there is no man in the middle trying to steal your credentials. And once this happens you will want to change the WiFi password. And the consequence will be to re-provision the 50 or so orphaned WiFi devices.

The WiFi security model does not work for IoT. This is serious.