-
Difficult to do
Pretty much every sign-up form I've ever used (which doesn't use email address as username) has asked me to create a username in the first field. It might be difficult to change your code to do this, but it's obviously very easy in general.
gbj_tester-
which doesn't use email address as username
Yup, that's the bit.
Either we own the authentication of a username and password, and the inherent risks of then being an identity provider (i.e. all previous versions of this forum based on vBulletin and Vanilla experienced security breaches with total loss of their user database, email addresses and passwords)... or we do what we are doing, which is to rely on external identity providers via Auth0 and OpenID Connect (Google, Microsoft)... and then we get the benefit of their security teams and processes, and can be sure that we cannot leak passwords and won't appear on a haveibeenpwned announcement.
But... the side effect of external authentication as an async process... it is async, and so there isn't a trivial way to block things and force something like there is when you try and run security yourself.
When I made this choice I prioritised account and data security over convenience and control, accepting at the time that the default username thing was an ugly compromise in favour of security.
Velocio
Difficult to do as the username is created once they authenticate.
Originally (a long time ago) I tried to have a smarter default, i.e. the first part of the email address used to authenticate. But that's obviously a privacy nightmare and would fall foul of GDPR now.
I did experiment with a forced flow to prompt to set a username when replying, but that typically lost someone's reply... i.e. the more hurdles you introduce the fewer people bother jumping them and some very notable members stayed as user76845 style names for a long time.
I do think there's something that can be done though... perhaps to change the reply box itself to show the current avatar and username on the left as a kind of "you are posting as" reminder that their identity is currently crappy.