You are correct in theory. If your OpenID account is compromised everything attached to that is also at risk. In the wild, the risk is not much greater than someone compromising only your email account. AFAIK, there is no central list of what a particular OpenID account is tied to. So an attacker would need to know what you were actually using it for to exploit that. If they compromise your email alone, they have all of that anyway. Even if they dont have the password in your email, they can just reset it via your email and by the time you notice, the damage is done. That is why two-factor is the best approach. At least if they do get a password, they also need a land line or cell phone number or a mobile device tied to your account with the authenticator installed under your account. Not impossible by any stretch, but it makes it that much more difficult. Google (and most others) also uses browser fingerprinting and geo-location data to pair with your authentication requests. If you are not in the same general location, with the same browser fingerprint, it will raise flags and prompt you to perform addition validation. I sometimes use several things to obfuscate my usage and most large sites will stop me if I have tried to hit a service with an unusual pattern. Google will send me a text message before opening anything they control.