Apparatus and method for cryptographically securing unpowered or non-electronic IoT devices

What is claimed is: 1 . A method comprising: generating a first signature over a first key to add an authenticator device to a chain of trust, the chain of trust comprising multiple levels of attestation, wherein the first signature is generated over the first key using a second key, the second key comprising a private key having a corresponding public key usable to validate the first signature and thereby authenticate the first key; generating a universal unique identifier (UUID) code; generating a second signature over the UUID code and metadata associated with the authenticator device using the first key; encoding the UUID code, the metadata, and the second signature in an optical label of a product; receiving, by a network service, a message containing the UUID code, the metadata, and the second signature responsive to a scan of the optical label by a scanning device; performing a lookup in a database with the UUID code to determine if a prior use of the product has been recorded; validating the UUID using the second signature if a prior use of the product has not been recorded and, when the UUID is successfully validated, updating the database to reflect a use of the product; and generating a failure notification when a prior use of the product has been recorded or when the UUID cannot be successfully validated. 2 . The method of claim 1 wherein the authenticator device is a level 2 authenticator device associated with a particular factory authorized to manufacture the product, wherein the factory is assigned a level 1 factory authenticator to generate the first signature over the first key, the first signature usable to authenticate the first key. 3 . The method of claim 1 wherein the metadata includes a date stamp, and versioning data associated with hardware or software version of the authenticator device. 4 . The method of claim 1 wherein the UUID code and the second signature are to be generated by the authenticator device. 5 . The method of claim 1 , wherein the network service comprises an internet of things (IoT) service, the method further comprising: reading the UUID code, metadata, and second signature from the optical label, the reading performed via a mobile device app; and transmitting the UUID code, metadata, and signature to the IoT service for validation. 6 . The method of claim 5 wherein the IoT service is to regenerate the second signature over the UUID code and metadata using the first key, the IoT service to validate the product if the regenerated second signature matches the second signature. 7 . The method of claim 6 wherein generating the failure notification comprises sending a message to the mobile device app that the product cannot be used. 8 . The method of claim 7 wherein the database comprises a database of products maintained by the IoT service, the database including UUIDs associated with products. 9 . The method of claim 8 wherein the IoT service includes a communication interface to receive records for each of the products from the factory, wherein the factory is to provide the records including the UUIDs to the IoT service, each record to identify an authenticator device used to generate an optical label for a corresponding product. 10 . A system comprising: a factory authenticator comprising a data processing device with a processor and memory, the factory authenticator to generate a first signature over a first key to add the first key to a chain of trust; an authentication device to: generate a universal unique identifier (UUID) code; generate a second signature over the UUID code and metadata associated with the authenticator device using the first key; and encode the UUID code, the metadata, and the second signature in an optical label of a product; wherein the optical code is usable to authenticate the product by a plurality of operations, comprising: receiving, by a network service, a message containing the UUID code, the metadata, and the second signature responsive to a scan of the optical label by a scanning device; performing a lookup in a database with the UUID code to determine if a prior use of the product has been recorded; validating the UUID using the second signature if a prior use of the product has not been recorded and, when the UUID is successfully validated, updating the database to reflect a use of the product; and generating a failure notification when a prior use of the product has been recorded or when the UUID cannot be successfully validated. 11 . The system of claim 10 wherein the authenticator device is a level 2 authenticator device associated with a particular factory authorized to manufacture the product, wherein the factory authenticator is a level 1 factory authenticator to generate the first signature over the first key, the first signature usable to authenticate the first key. 12 . The system of claim 10 wherein the metadata includes a date stamp, and versioning data associated with hardware or software version of the authenticator device. 13 . The system of claim 10 wherein the UUID code and the second signature are to be generated by the authenticator device. 14 . The system of claim 10 , wherein the network service comprises an internet of things (IoT) service to receive the UUID code, metadata, and second signature, read from the optical label by a mobile device app; and the IoT service to attempt to validate the signature. 15 . The system of claim 14 wherein the IoT service is to regenerate the second signature over the UUID code and metadata using the first key, the IoT service to validate the product if the regenerated second signature matches the second signature. 16 . The system of claim 15 wherein generating the failure notification comprises sending a message to the mobile device app that the product cannot be used. 17 . The system of claim 16 wherein the database comprises a database of products maintained by the IoT service, the database including UUIDs associated with products. 18 . The system of claim 17 wherein the IoT service includes a communication interface to receive records for each of the products from the factory, wherein the factory is to provide the records including the UUIDs to the IoT service, each record to identify an authenticator device used to generate an optical label for a corresponding product. 19 . A non-transitory machine-readable medium having program code stored thereon which, when executed by one or more machines, is to cause the one or more machines to perform the operation of: generating a first signature over a first key to add an authenticator device to a chain of trust, the chain of trust comprising multiple levels of attestation, wherein the first signature is generated over the first key using a second key, the second key comprising a private key having a corresponding public key usable to validate the first signature and thereby authenticate the first key; generating a universal unique identifier (UUID) code; generating a second signature over the UUID code and metadata associated with the authenticator device using the first key; encoding the UUID code, the metadata, and the second signature in an optical label of a product; receiving, by a network service, a message containing the UUID code, the metadata, and the second signature responsive to a scan of the optical label by a scanning device; performing a lookup in a database with the UUID code to determine if a prior use of the product has been recorded; validating t