Keith
there are many ways to make the software secure, most of which use 2 factor authentication - you have one bit, the key that is issued (which is often an encoded version of your email address, the second part is supplied either by, as you suggest, an internet connection or by phoning a number (automated or personal) where you supply a code displayed on your screen and generated by the key you have. you are then provided with an unlock key and the software is licenced.
This will not be unbreakable, but you can make it almost unbreakable and certainly commercially secure enough as the compute power required to crack the code would be significantly more than the value of the product.
Other tricks can be used, taking a snapshot of hardware which provides a unique machine key is one method, placing encrypted files hidden on drives, hiding codes within the BIOS - all of which will work without a dongle or internet access.
Most of the industry gave up on dongles 10-20 years ago because there are more secure (and cheaper) ways to protect software now. But when you are using a 20 year old codebase it is difficult to adopt current practices.
Iain