In my experience, enforcing log-in for for this kind of consumer product done for the sake of security, rather than user hostility. Internet connected hardware on a home network is a very attractive attack vector, especially if commands are unauthenticated.
In my experience, my consumer products are significantly MORE secure when not requiring a log-in or in fact anything that requires any level of external network access to be facilitated or that mandates a requirement for personal or authentication related services to be hosted outside of my network, and that includes their applications. A potential avenue for security related incidents is now being forced upon users where previously it did not exist. Phillips can't leak my data due to incompetence when they don't have it, only now, they will.
This logic breaks down for hardware vendors don’t allow access to an underlying Linux system the IoT device is running on. The malware looks for easy targets to get root on - not so much turning on and off lights.
