With identification of user being such a big issue, and one that will grow as demexp grows, maybe having a third party handle them make sense? As for now this could just be another server put up by us, but in the long term it could be something not related to demexp. In sweden we have something called BankID that works as an e-legitimation and is used by banks and some other organisations to identify people on the internet.
Regarding different accounts on demexp server and drupal, i think it is plain "weird" :)
Why are they needed to be different? Because it is hard to get a demexp account and easy to get a drupal account? I suggest that in the long run we use only one account, and that account having a flag of either identified user or not. That way account creation can be easy, while real life identification of the user can be as complicated as required.