While California’s move marks a shift toward legislating device security, the technology’s problems go far beyond the need for passwords, says Syed Ali, an Expert Vice President at the Bain & Company. Since the devices are smaller and have weaker computing power, they often can’t run security software and meet their core competencies at the same time. Academic and industry researchers are creating more secure, “lightweight” operating systems and hardware to help improve security, but these solutions won’t work for every application nor will every company adopt them, according to Ali.

Digging deeper, Ali says, there are oversight shortcomings in the sourcing of hardware and software used in these tools. This means that without a company knowing, backdoors could be placed in a device and provide a way to access its contents regardless of a password.