Custom_json has a required_auths attribute, I presume that can be changed to Active without too much trouble, although I haven't tried it. It would involve changing the transfer system to require it on the back end.
Doing it without active key would probably require the back end to publicly document transactions in order to keep the transparency, which does make it more centralized.
I'm revising my opinion of how much more work this would be as I think it through, though. It's probably easier to just get card delegation working, so we can move all of our Monsters into cold accounts.
Why not just create a simple login for your friends with normal passwords that they can remember. And it has zero risk. Because it only let's the user do battle related transactions.
Yeah, I think your idea makes sense if delegation isn't imminent. My issue with it is it doesn't solve the security hole of having large assets tied to the same key I have in code and hand out to front ends. But I'm less convinced those two issues can be solved at the same time than I was when I wrote the first comment, having thought it through some more.
Yeah i think you're looking more at the security hole which they can still work on. I just want to give access to friends to play... and I'm not even willing to give them a posting key even if they couldn't do transfers and other steem transactions... i just don't want them to have a key at all.