I wanted to have a way of accessing parts of my email account from untrusted machines (e.g. from an internet cafe while on vacation). I didn't find a simple way to do this, so I wrote my own tool. It's a python/flask/gevent based server and a very minimal read-only frontend to display mails. It only allows access to a configured set of mailboxes using one times passwords or a YubiKey.
Definitely a cool idea. Though I feel like I would want to be able to have more flexible rules than "folder" to decide what the account can access. For example, "all unread emails newer than 1 day and containing the string 'registration'" would be quite useful. To be fair, it would be a bit of a pain to implement but it might be useful for the usecase of wanting to just get a single email.
It's also quite annoying that you have to set up the keys beforehand. Though, obviously if you could connect to the server to create keys then you wouldn't need to use this. :/
Thanks for your feedback. I've updated the code to be more flexible: You can now specify an IMAP search (https://tools.ietf.org/html/rfc3501#section-6.4.5). You can also create multiple "views" that use different searches for the same IMAP folder. So your example should be doable now.
I have. But TOTP is a bit tricky: A generated password isn't single use by design (as it's valid for 30 second window). So you'd have to make sure a single password can be only used once on the server side. Additionally the default 6 digit code seems a bit weak. It seems that 6 digits is fixed in Google Authenticator at the moment: https://github.com/google/google-authenticator/wiki/Key-Uri-....
HOTP might also be possible, but then you also have to store state (the counter) on the server side. Additionally that also seems to be limited to 6 digits in Google Authenticator.
My current approach is: Don't exhaust the tokens before you return from vacation :-)
Fair approach. Just a thought. Good point on the 30 second window, would suggest that (without ensuring the server only accepts it once) that someone else could gain access (though it being read-only they'd have limited access).
I'm not familiar with Yubikeys other than that they exist. How're you using them for authentication? Do they not have the potential password reuse issue (seems they include TOTP support among other methods of authentication)?
Also, I'm fairly new to TOTP and was a bit surprised that Google Authenticator didn't allow for longer keys. That seems like it ought to be easy, to this layman, to implement for them.
===EDIT===
Found my answer to the Yubikey question. Read their documentation on how their OTP works. My initial confusion was based on a cursory read through where I saw they supported TOTP, but they have another method that's not time-based. So, yeah, not sure a good solution to the TOTP password reuse problem, but might spend more time looking into using Yubikey for myself.
Feedback welcome.