One time password for single use guest key
Alec Jacobson
June 26, 2010
What's the online equivalent to leaving your house key under the doormat?
A number of times I have been caught in a situation where I'm not at a computer and need to get something off of my email. I call a friend, entrust them with my password, retrieve the information and proceed to worry that I have (1) allowed my friend to (un)intentionally view something private of mine or (2) at least put my friend in the unfair situation where he needs to convince himself not to snoop. Whether he ever would or should is not the point, the situation of my giving him such a powerful position is bad enough.
Here's a solution:
When I sign up for a new email account, I should give a normal password and a "one time password". I don't tell anyone my OTP. But then if I ever need to let a friend into my account I give them this OTP that works just once.
The email provider could come up with all sorts of different schemes for how the "just once" is defined. By time: logs off automatically after 60 seconds. By activity: logs off after a n searches. Or just limit access for a single session: only able to view certain emails or of a certain age...blah blah blah.
It could be as secure as you wanted to be. The point is that the current situation isn't secure at all: you have to give out your entire password. I guess the reason giving out your password is not the same as leaving a key under your doormat is that your key is a single object and it doesn't unlock every door in your house much less provide you with a simple way to search for valuable items.