If your website is providing an OpenId only authentication method (e.g. SO), what would be a best practice for handling a user whose openId account is lost or stolen or whatever…effectively preventing them from using your site.
If the user had associated two open ids to their account then they could use the other login etc but in the case where they haven’t, they can no longer use your site.
Having a user prove his account for a manual open id change just opens your process up to social engineering (the core of the problem, i guess!)
The answer to this is the same as “What if I lost my password” for password-auth sites or “what if I can’t access my email account” for sites that send password reminders over email. The most common approach seems to be the “security question,” which is really just another (often less secure) password. The other is “contact tech support”, which, yes, is vulnerable to social engineering.
The most robust solution I’ve heard to this is some sort of two-out-of-three system, where the user can say “oh, I lost my OTP token but I still have my phone and passphrase”, but seriously, that’s enough of a pain that only specialist providers will want to implement and maintain it.