I have a hard time seeing what friction is added, though, with proper thought. If you don't require email validation but use it as a unique login identifier, then a malicious body could DOS all future users via bulk signups. DDOS required if you use rate limiting on signups. Slightly different application of the attack but still a denial of service.
Even a non-hacker could block another user from signing up by simply creating an account with someone else's email address.
If you don't use it as a unique login identifier, there's no problem at all. New users use their username to login.
I have a hard time seeing what friction is added, though, with proper thought. If you don't require email validation but use it as a unique login identifier, then a malicious body could DOS all future users via bulk signups. DDOS required if you use rate limiting on signups. Slightly different application of the attack but still a denial of service.
Even a non-hacker could block another user from signing up by simply creating an account with someone else's email address.
If you don't use it as a unique login identifier, there's no problem at all. New users use their username to login.