Elsewhere, for decades, I've bemoaned the fact that keyboards (etc) don't have credit card swipes (perhaps today "and chip readers") so with some care on the part of the software someone could prove they likely have physical access to the card. But it would be very useful in this IoT problem. You power up a new device, it won't enable until you run some web (e.g.) interface. At that point you swipe a card which generates a hash which secures the IoT device from further config until it's presented again. The device can have the usual reset to factory config button for the case of lost cards. It needn't even be an active credit card. It could be an old spent gift card. It could even be a free card that comes right in the box tho that might invite predictability, but maybe a basket of cards to use at the checkout counter "take one you'll need it for setup". The software just has to be able to read the magstripe or chip and use the info to generate a reasonably secure hash which is stored (preferably in the device.) Need to reconfig, open the window, swipe the same card. Hotel safes often use this approach as an alternative to PIN entry. The device doesn't store any info about the card directly, only the hash. And as I said it could be most anything that looks like a credit card and has a readable mag stripe. The user doesn't have to come up with a password and can't use the device until a hash is stored. But, alas, no swipes... -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*