In thinking about using OpenID with TYWYK I'm now thinking about security issues with it.

OpenID is really just about as insecure as email is for authenticating. Anyone can create an OpenID server (just like a mail server) and as many users as they want (just like a mail server). OpenID is not a spam-blocker and as far as I can tell never will be.

So how to verify? Well we could send a verification link to the email address associated with the OpenID account, but that would be just as insecure as OpenID is. I'm thinking now the best way to do it is require the user to fill out a CAPTCHA with their OpenID the first time they login to a site. This would prevent automated spamming of user account creation.

Other ideas

On a sidenote there should be another level to this with white/black-listing. There should be list lookups for OpenID providers just as there are for email servers. With this you could allow first-time authentication without a CAPTCHA and still be safe.