I have a web app. I do not wish to maintain login information so I employ the gradually getting popular method of logging in thro openid, google, yahoo, etc.
The user chooses which avenue of login (openid, google, yahoo, etc). After couple of legs of redirection and the id supplier verifies the login is successful, the user is accepted. If my app sees the id for the first time it would put the user thro a registration mode. It would send the user an email with the encrypted validation key. The user clicks on the link in the email or copies the key into the entry field of the registration page.
Then I sat back for riposte and thought. What is the point of sending the first-time user an email with a validation key? Hasn't the user already demonstrated ownership of the id by logging in thro the id supplier-service.
The riposte I am contemplating is that I should only perform an emailed key validation when a user changes or supplies a new email. I should just consider a first time user validated once successfully logged in thro an id supplier, even for the first time, without need of an emailed key validation.
What do you think?