h a l f b a k e r y
Why did I think of that?
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
or get an account
You enter the site via onetimepw.com, mark the site(s) that you want to allow someone to get into some day. When the day comes, give it the email of the person who should log in, and mark the check-boxes for the sites you allow them.
They get an email that links back to onetimepw.com and shows them
your site. They can do everything except change your password.
For pay onetimepw could restrict the actions of the user entering via the onetimepw.
Its halfbakery here, the unbaked part is getting the pw over to the site without anybody sniffing it.
Please log in.
If you're not logged in,
you can see what this page
looks like, but you will
not be able to add anything.
||So this is for when you want someone else to access your account on some site? I can't think of an occasion when I've ever wanted to do that, but never mind... Then, as I understand it, you'd give an intermediary, or 'proxy' site your password and tell it to admit someone with a certain email address. This would fail, not only because (as you point out), you can't easily transport your password securely to the proxy site (actually this problem is quite solvable), but also because anyone could spoof the email address used for access, and also, providing your password for a website to the proxy site would almost certainly contravene the terms and conditions of the website which that password is for. [-]
||A better way would be to have these one-time
passwords integrated into each website. After the
user with the one-time password is logged out, a
new OTP is randomly assigned to the account.
||// I can't think of an occasion when I've ever wanted
to do that, but never mind... //
||What if you're in a remote location with telephone
access but no internet?
||Also when you want to allow a friend to edit a file
for you, or you want to give an offshore worker
the possibility to use a paid service that you have
access to, but wish to limit it for now. Or when
you have a group of people you give access to an
FTP site, but only have a user/pw for the site, and
not an administrator pw (and of course this too is
||As opposed to you, hippo, I had this need many
||Perhaps I was not clear. The email they get has a
link back to the site with a token. So it cannot be
spoofed easily. In any case an extra confirmation-
email step could be used for this.
||Looking at the idea a second time: There should
not be a problem getting the pw over to the site.
It would be simple proxy with SSL.
||The site's code would have to be open source, so
that you can rest assured that no-one at OTP will
ever know your bank password.