Because OpenIDs can be used to sign into multiple websites, the value of an OpenID increases with each additional site that the OpenID is used. Users should take precautions to ensure that their account at their OpenID Provider is safeguarded against being compromised, including having a strong password, and keeping their account information up to date.

Users should consider taking advantage of additional authentication options offered by their OpenID Provider, including using a client certificate to sign in, 2 factor authentication, or other stronger authentication options.

Users who authenticate with a password at their OP should always be vigilant against phishing. Users should only enter their password on their OP's Login screen, and should verify that the URL displayed in their browser's address bar is the URL of their OpenID Provider. Users should be aware of other hints to recognize their OP's Login screen, as documented by their OP, including checking that their browser's HTTPS icon is displayed if their OP supports HTTPS, and setting up a personalized icon on the the Login screen. If the user's OpenID Provider offers an HTTPS identifier, the user should log into RPs with the https:// prefix to their identifier to better secure their account with that RP against DNS poisoning attacks.

Users should never share their password with sites that want to import their data. Users should demand that sites use a delegated authorization protocol, such as OAuth, to share their data without sharing their password.

When using a shared computer, users should remember to sign out of their OpenID Provider before giving up control of the computer. As long as the computer has an active browser session with the user's OpenID Provider, anyone can sign in as that user at OpenID RPs. The user should also take care to log out of each RP he/she logged into, since logging out of the OP doesn't automatically log the user out of RPs.)