-
which doesn't use email address as username
Yup, that's the bit.
Either we own the authentication of a username and password, and the inherent risks of then being an identity provider (i.e. all previous versions of this forum based on vBulletin and Vanilla experienced security breaches with total loss of their user database, email addresses and passwords)... or we do what we are doing, which is to rely on external identity providers via Auth0 and OpenID Connect (Google, Microsoft)... and then we get the benefit of their security teams and processes, and can be sure that we cannot leak passwords and won't appear on a haveibeenpwned announcement.
But... the side effect of external authentication as an async process... it is async, and so there isn't a trivial way to block things and force something like there is when you try and run security yourself.
When I made this choice I prioritised account and data security over convenience and control, accepting at the time that the default username thing was an ugly compromise in favour of security.
Velocio-
there isn't a trivial way to block things and force something
There probably is a fairly trivial way to draw people's attention to the fact that they can customise their username. People are generally both thick and incurious, so it won't occur to most of them that they can do it, and they won't be able to work out how to do it unless you put a step by step guide right in front of them
gbj_tester
Pretty much every sign-up form I've ever used (which doesn't use email address as username) has asked me to create a username in the first field. It might be difficult to change your code to do this, but it's obviously very easy in general.