We use a proximity-based, visually verified key-exchange supporting a "trust on first use" model. Our (Patent filed) choice of token avoids the need for endpoints to consult a central identity database or keystore. The owner is in control of who is trusted with access to their device and data.
The strongly encrypted connectivity is provided by WebRTC, the cutting edge standard already present in 2Bn browser endpoints backed by Google, Microsoft and many others.
The Pipe SDK runs on the device where it acts as a dynamic firewall and p2p VPN. Only packets coming from a paired peer are accepted. No network ports are left open to scanning or intrusion. We use ICE (rfc5245) to navigate firewalls and find the most direct network path between the endpoints, which may just be the local WiFi network not via the internet. For the device developer, the Pipe SDK offers a simple Linux-friendly interface to integrate into their devices or hubs.