@Tomas has the right idea. I would put the password attribute in the User model, and put email, confirmation_code, and is_confirmed? in the Login model.
Then you could have forms to add Logins to users with unvalidated email addresses. To validate an email address, you either have to get it from an OpenID/OAuth/FBConnect provider, or you have to have a way to trigger a validation, which sends an email to the user with a confirmation code. The user has to go that email client, retrieve the confirmation code, and enter it. If it matches, then the address is confirmed.
I stumbled across this method when using rpxnow.com for my authentication solution. You integrate once with rpxnow.com, and their login widget lets you integrate with Facebook, Google, Yahoo, Microsoft and OpenID. One datum it passes back after authentication is the verified email address.