I guess that the thing is that the ‘chronological disconnect’: the message about logging in again comes when the user is already ‘logged in’, so they (ok, I) tend to gloss over it.
What you said here reinforces that misconception: “setup a real authentication method once they arrive”. If I have correctly understood, in the case of external authentication, it’s not when they arrive, but when they come back next time? Or is it not even next time (if there’s a cookie involved)?
And I’m not sure that “but it must resolve to the same email address that you received your original invitation email at.” Is very understandable in normal human speak.
How about something like this:
IMPORTANT: For the moment you have been ‘magically’ logged in via the special link in your invitation. To ensure that you can connect again next time (or from another computer), you should take the time NOW to set-up a password (link to preferences). Alternatively you will be able to use your Google/Facebook account to login next time, as long as the email address associated with that account is the same as the one used for your invitation.
:thinks: For this to work, the server-side code would have to be modified to check whether Google/Facebook is effectively enabled and construct the welcome message accordingly. And as we’ve seen (I think), this wouldn’t apply to Twitter authentication.
Otherwise, with a generic message, the only way for the user to be able to work out what is available would be to log out - at which point if there isn’t an alternative authentication method, they’d have to fall back on the ‘set password link’ in the second email. So it’s not impossible, but not very intuitive either.
Well sticking that bit in the ‘set your password email’ as well as in the welcome PM would mean that they still have the means to read it again even if they didn’t the first time.