This was exactly my point. There are so many different options and all this post was really about was combining random 32bit integers into a byte array to help form a key. I mean, I could easily have a preset encryption key specific to my group of devices, then encrypt the individual keys with that to be sent to the device I'm pairing with. The key itself is not shared, but an encrypted version of it is. I could maybe even double encrypt the data with that and the key that was shared. While this won't be through a web interface, for simplicity, one could probably compare it to entering your password over an SSL connection. Even though it's secure, you're still using a separate key/password to authenticate. There are so many possibilities that one should not just assume any one of them.