I have read that users find annoying having to verify their email so they can complete a simple registration, however removing that extra step and using CAPTCHAs to deal with bots leads to the uncomfortable situation in which users can't regain control to their accounts if they have forgotten their password.
So, what to do about that? Are there any alternatives to email confirmation? I was thinking that it may be acceptable to send a verification code to the email address entered when the user signed-up only when they have forgotten their password. As far as I know, the downside of not requiring email confirmation is that it's possible for users to impersonate someone else. As I don't wish to collect any information about the users, that wouldn't be a problem in itself. However, if the legitimate user tries to sign-up to the site, that email address wouldn't be available. A solution would be that, at that point, the user can be informed that the chosen email address has already been taken and he can have the opportunity to change his password, regaining access to his account using the verification code. Is there some problem with this approach? Are there better workable solutions?
By the way, SMS or paid third-party application are not an option for me.
Thanks in advance.
