Thanks for some good ideas.
We already implement a similar proctoring system at IITD. But its a system designed for a paper-based administration where you could be certain that only one answer sheet was going to be expected from a given student. Things change with paperless testing.
I was planning to use the password to make sure that no one off-site could get into the quiz. That is the other big potential issue. Coupled with subnet restrictions, it would definitely make sure that the only people who wrote the exam had to be present unless they had a Good Samaritan signing in for them. As you note, it would slow things out immensely if we got proctors to log people into the exam.
I already have a statement in the examination instructions that informs students that they are agreeing to an honor code by clicking start.
The method I suggested is the functional equivalent of the one you suggested with the passwords, but the advantage is that if an appropriate add-on exists, one would only need to (at one fixed location) check on an quiz unlock form upon production of an appropriate ID (as students checkin for the exam). That would be somewhat faster than the workaround suggested, and if the add-on was designed to accept batch submits of unlock requests, would be fairer as all quizzes would be unlocked at the same time. Otherwise the one by one password system, especially given its slowness, would severely disadvantage the people later in the queue.
The logs are not a good idea. Two reasons. One, we have 100+ students (in some classes, that number pushes 400+). Not humanly possible to do a good job. Two, a student may open up two different browsers and attempt both in parallel, so a pure timing analysis will not give you anything conclusive. An offline variant of this is to create a paper based attendance sheet and then compare that against the attempts. Again, a slow overhead on top of grading (which thanks to Moodle, is expected to be a smaller nightmare this time round).
Unless there is a plugin that detects that mutliple attempts originated from the same IP address, we don't really solve the problem at the other end. If there is a plugin that does that, that is an even better solution than the unlocking protocol I suggested, as it has no time overhead, and you zero in on to the offenders immediately.
Any idea if anything like this exists, etc.?