What may be a good alternative way to verify return users with OpenID?

Question

I was looking into claimed identifiers, but they seem to have some issues with some providers, evidently? What about an attribute exchange request for an account's email address or something like that? Would that be a good alternative?

Advice much appreciated.

Answer 1

By "verify return users", I assume you just mean detect when a user returns to your account and log them in?

Attribute exchange data is provided by users, and is both optional and easily changed, so it can't be relied on for anything that is remotely related to account security.

Google's OpenID identifier is only unique per-domain — the workaround is just to have a single domain used for authentication. And that's assuming you have multiple domains. If you only have one domain, then there aren't any problems.