Now that we've established that by "OpenID spoofing" nobody meant anything more than plain phishing, I think I found a solution: http://blog.phpbb.cc/2007/01/12/external-authentication-and-otp/ Any comments are welcome (first-timer moderation). Regards, Dmitry =damnian