I believe the tenability of your scheme varies from "unpossible" to "suitable for sites with such low traffic that the sysadmin can manually verify every login".