Mikah Sargent, writing for iMore, on the importance of software-based authentication for HomeKit devices that Apple officially rolled out with iOS 11.3 last week:
Up to this point, commercial accessories were also required to incorporate Apple's hardware-based Authentication Coprocessor in order to obtain HomeKit certification. The coprocessor handled Apple's strict rules for encryption and security for HomeKit-enabled accessories. Apple takes HomeKit security seriously — the company says all HomeKit sessions are end-to-end encrypted and mutually authenticated (authenticated by all parties). Each communication session also includes something called "perfect forward secrecy," meaning that encryption keys aren't reused — a new key is generated for every session.
These strict rules meant most companies had to build accessories specifically with Apple's HomeKit requirements in mind. It was a beneficial rule for consumers in terms of privacy and security, but it also meant — at least at the beginning — fewer available HomeKit-enabled accessories. Companies who already had smart home products on the market would need to rethink their products if they wanted to offer HomeKit-enabled accessories. That changes as of iOS 11.3.
I was under the assumption that HomeKit software authentication was already available since Apple announced it at WWDC '17 (in fact, I covered it in my iOS 11 review here). As Sargent notes on Twitter, however, accessory makers only received support for software authentication with iOS 11.3, which explains why we haven't heard of major "HomeKit software updates" yet. Assuming that Apple's certification process for HomeKit accessories is still going to take weeks, I'm curious to see if software authentication will at least make it easier for third-party manufacturers to consider HomeKit integration.