Comment by protocolture

>IoT security is generally terrible

I think IoT demands a rethink of security.

Like sometimes I want IoT devices to just bloody connect, and if I have to use a published exploit that circumvents online only requirements I will do it.

But some people do genuinely have use cases for cloud speaking IoT stuff.

Really I think the device should ask at first run, and then burn in your response and act only in the selected mode. If you want it to require Cloud MFA, thats an option, if you want to piss python at your lightbulb to make it blink, then thats where it lives permanently.