1) Have a password generated and sent via email. Thereby validating they have access to the email supplied.
2) Allow them to set a password on registration. There's no validation email sent at the moment for this.
I realise there's probably more work we can do on the 2nd option, or even make it a third option of "enable user to set password and send email validation link".