I don’t think it’s a dumb idea at all, and I think I understand now, because Ring seems to let you add a device but it’s actually adding/authorising an application instance running on another device, if I get it right, and I think it could be implemented on safe network. Also, note Ring requires you to type the PIN and also the password on the other device.
1- You could create your account, as you do it today, which you would need to do it with the secret and password.
2- Then when you want to add a “device”, which is basically pre-authorise an app, the Authenticator could generate all the sign/encryption keys as it does it today for an app when it’s authorised (there are some details here to consider though, related to generating random id/name for the app I believe).
3- In the normal scenario, the Authenticator sends back all the generated keys to the app using the system URI mechanism, encoding them into what we call the authorisation URI. But it could encrypt the auth URI with a newly generated encryption key which will be shared with the other device/app (this encryption key would be analogous to the PIN in the Ring flow, perhaps using a QR code to have the other device to scan it as an encryption key wouldn’t be so easy to type as a PIN).
4- The encrypted auth URI can be now stored in a MutabeData which address is the hash of the group ID you’ve chosen (the Authenticator could give you administration tools to manage your groups of devices)
5- At this point, you scan the QR code with the other app to get the encryption key and group ID, the app can now go and fetch the MutableData, decrypt and decode the auth URI, and finally connect to the network. It can also remove the data published in the group ID’s MutableData so it’s a bit more secure, you can have the Authenticator to also remove it after a period of time as an additional security measure.
You can also, just share the auth URI with the other device with a QR code instead of storing it on the network, and that would be an even (much) simpler flow (assuming it all fits in the QR code capacity).
I think this is exactly what we need for IoT devices, you acquire an IoT device, you then provision it with this flow from the Authenticator, which can be running on your PC, tablet, or mobile phone, after that the IoT device can connect directly to the network without the need of the Authenticator, and you can revoke its access and/or permissions any time you want, from anywhere, using your account with the Authenticator.