Things will have identities. OK, but what does that mean? On today's Web, the default is that, for us humans, having an identity means we have an account & password at each of the application providers we interact with. How's that working out? Would it work any better for things? Let's explore a security & identity model for things that do not make the existing password problem orders of magnitude worse. (Hint: can identity protocols like OAuth & OpenID Connect help?). And on the flip side, let's consider how might our things facilitate our own interactions with applications (might that smart watch have an opinion on your own identity attributes?).