Thanks for your feedback on the topic.
Indeed currently I'm using "passkey authorization" during the pairing process. Although I don't have a keyboard or display on my BLE devices I have created an "automated pairing" process based on passkey verification.
On my Zephyr board acting as BLE peripheral I set a random generated passkey (6 digits).
static void auth_passkey_entry(struct bt_conn *conn, unsigned int passkey)
}This passkey will be transmitted encrypted by AES 128 via the BLE advertisement. Only a BLE central device having the same private AES key will be able to decrypt it.
On my BLE central I'm running a BLE QT application that manages to set the passkey automatically without user interaction. When the BLE central tries to pair with the BLE peripheral (Zephyr), the BLE central application injects automatically the passkey (BlueZ Dbus API) when asked.
So I just need the NFC process on the Zephyr board for receiving the private AES key during the commissioning phase.