[xvector]

Don't most services require you to confirm your email? Mallory would be unable to get past step 1

[Gigachad]

Not really. It’s become a design trend to send a confirmation email but then not require it. Part of reducing user signup friction. Then later you might prompt or push the user to confirm or mark users with unconfirmed emails as a higher abuse risk.

[croon]

The way I read it it's dormant (unconfirmed) until Alice signs up, at which point it's implicitly confirmed through SSO.