so assuming one trusts the model, would it work to have something like:
I have a /me/private/yourwebsite.com set up to be shared between me and your particular site, the link is set-up when I sign up
when I log in your site, it would look for this directory to be there, in this directory there will be a file with a password hash, the server would load it, and validate the hash of the typed in password against the hash I provide, once the login is successful it would remove this file
this would basically mean that I could have single-use passwords for any site as it would be trivial to have a browser add-on that generates a random password and corresponding hash when I want to log in somewhere, it types the password in the password field on the page and puts the hash in the keybase directory corresponding to it, and alert me if the site does not remove the file after the login.
You can get rid of the middleman and just sign a nonce for the site, modulo the "don't sign whatever someone gives you" caveat. If you have a PGP key that uniquely identifies you, there are many many things you can do.
I have a /me/private/yourwebsite.com set up to be shared between me and your particular site, the link is set-up when I sign up
when I log in your site, it would look for this directory to be there, in this directory there will be a file with a password hash, the server would load it, and validate the hash of the typed in password against the hash I provide, once the login is successful it would remove this file
this would basically mean that I could have single-use passwords for any site as it would be trivial to have a browser add-on that generates a random password and corresponding hash when I want to log in somewhere, it types the password in the password field on the page and puts the hash in the keybase directory corresponding to it, and alert me if the site does not remove the file after the login.