I don't understand why they need it when they've already accepted and verified a login request, just need captcha to finish it off? (i.e. you don't get the captcha with bad creds)

I mean, maybe I can see/accept an argument for that. But when I have a recent order? When I'm logging in from the link you just emailed me?