But wouldn't that require constant access to the server, whereas the key they could steal once with short access to server and use until it expires without the victim noticing?