I'm trying to design a solution to replace hardware keys. I have an application running on a device that will not have internet access, so it cannot authenticate itself, but could generate a QR code with url parameters that points to a web app that can then authenticate a user. How can I use this authenticated user to generate a token or passcode that can be accepted by the device?
My first thought was to use public/private key system. The webapp and device will both have the public key and use the url parameters as private key to generate a passcode if the user is authenticated on the webapp. But I don't think that would be secure, as the private and public key would be known and someone could just calculate the code themselves since they know both the public and private key... regardless of whether they are authenticated or not.
Am I going about this the wrong way? Any advice on how to handle this?
Edit: Picture below is my idea of auth flow... My question would be, what could the shared secret be? If it's passed in url parameters, then it's not secret, and they can calculate the code without being logged in.
