It's fine but I'd like to authorize access for a limited time, without managing a whitelist or using an authentication server.
My idea was to call Bluetooth for help. I expect BT has a much shorter reach than wifi. So if your phone/tablet is within the Pi's BT range, you're basically in the visual range (not to say within arm's reach...) of a responsible person. Once the Pi has acknowledged your BT address, then this information would be used to authorize wifi access (for a limited time) via hostapd.
I'm not very much versed into WDS and all that. I'm a bit surprised I can't find a lightweight 2-factor authentication system like this in contributed software.
I suppose I am wrong somewhere. Comments, anyone?
EDIT: I'll respond to myself, then. The 1st thing I've found is that BT discovery is flaky/slow (not too surprising) and the 2nd is that discovery succeeds at great distances
So there is no point in using BT in my case... I was pointed towards the use of a screen displaying QR codes along with automated password rotation. Visual range is easily made much lower than wifi range, so that's great.I don't use a screen, so I will rather generate an html page in a well-known location. That page will be accessible from ethernet or from trusted wifi devices.