If anyone can create an OpenID identifier, how can I trust OpenID users?
An OpenID identifier is just that: an identifier. It’s just like the usernames you may already use on your site, but rather than being specific to your site they are usable across the web. An OpenID identifier can be just as trusted as a local username if you treat it right. When users sign up for an account on your site, do you ask them to validate an email address and pass a CAPTCHA test? You can do that with OpenID Identities too, if you like! The best way is to have your site collect this information from the user the first time you see a login from a particular identifier. If this is troublesome for some reason, you can also adapt your “sign up” page to allow a user to enter an OpenID identifier instead of a username/password. You don’t need to change the remaining sign-up steps at all, so you can make the user jump through as many hoops as you like!
