There are lots of approaches to this but the question is how much do you want to spend, what platforms need supporting and how secure does it need to be?
Is this for a web application or something else?
The sticking point might be binding them all together as peers if you want the encryption & authentication mechanism to include two components (device & user) for the authentication and bound together in a way that it's all or nothing. Is that a *hard* requirement?
There are PKI platforms that would do this for you but that might be overly complicated for what you want to achieve. Are the client applications within your control to develop?
M