A set of security best practices were recently published via wiki for users, providers, and relying parties of OpenID. One thing really struck my eye: “Relying Parties should not use OpenID Assertions to authorize transactions of monetary value if the assertion contains a PAPE message indicating that the user authenticated with Assurance Level NIST Level 0″ This gives the relying party some level of assurance and the ability to pick and choose which OpenID providers they trust to authenticate their users. I had previously complained that any site falling within a scope of a number of regulations wouldn’t really have the option of becoming a relying party.”]
Source: https://www.csoonline.com/article/2135951/openid-publishes-security-best-practices.html