Phil, You may use server whitelisting to require all logins to originate from e.g. providers supporting SSL/TLS for login, although I believe this would be against the spirit of OpenID. Regards, Dmitry =damnian