Too much of all of this discussion around OpenID focuses around whether or not itâ€™s OpenIDâ€™s job to solve this problem, whether it is insecure, whether it promotes phishing, and so on. But none of the discussion focuses on what you should actually *do* when you care about making it easy for people to use your site while keeping security good enough.
Someone smart on the topic care to tell me what I should be doing as a website maker, and as a potential OpenID user on other websites ?
So, the answer to this is: you should only accept OpenID logins from providers that use unphishable authentication. How can you know what authentication they use? Well, right now you can’t, but a group of us are about to work on the OpenID Provider Authentication Policy Extension (a.k.a. PAPE) which will enable you to find out.
Until then, my answer continues to be “just say no”, if you are a website maker. If you are an OpenID user, then the answer is to find a provider that supports unphishable authentication – at least you will be safe, even if the rest of the world continues to suffer.