You should add a user option, call it HAS_USER_LOGGED_IN and set the default value to false. You detect this option when the user logs in. If the option is set to false or does not exist, then allow login to log in and set the option to true. Next time, if the user logs in, he/she will not be able to login, because the option is set to true.