If your website is providing an OpenId only authentication method (e.g. SO), what would be a best practice for handling a user whose openId account is lost or stolen or whatever...effectively preventing them from using your site.
If the user had associated two open ids to their account then they could use the other login etc but in the case where they haven't, they can no longer use your site.
Having a user prove his account for a manual open id change just opens your process up to social engineering (the core of the problem, i guess!)