Re: that last boost, my answer would’ve been “verify” too. If their email gets compromised, you potentially keep the bad actor out of your system, and also limit the splash damage.
Then you’ve got the problem of password recovery via email, so ideally you’d verify with a memorable word or recovery code instead…
MastodonSimon Willison (@simon@simonwillison.net)Account security software design question: if a user has created an account with an email and password, and verified that email address (via clicking a link/entering a code in an email they sent you)... and then later they SSO "sign in with Google" from a Google account for that same email address, is it OK to grant them access to their previously created account without first requiring their password as an extra verification step?
[ ] Yes that's fine
[ ] No that's not safe (reply with reasoning)
[ ] Just see the results