Ok, thanks for the reply.
Deleting OTPs from the DB that are older than, say, 5 minutes is very important to avoid server bloat on high traffic servers.
Given that time-based OTPs such as Google Authenticator are only valid for 60 seconds (+ clock skew allowance by verifying server), I don’t really see a pressing need to store OTPs as a hedge against replay attacks.
Would you consider an option to not store OTPs in a DB at all?
I’m seeing this also, but in IE 9. Pages with the expander are shown with the expander open, and it cannot be closed by clicking.
False alarm. The issue is with another plugin (Google Analyticator) which is throwing an exception and this is preventing the OpenID selector from showing the selector boxes. Disabling Google Analyticator lets OpenID selector work as normal.
