Username not requested during initial login - potential risk of compromise?

[ratkins5]

Current new user process allows the new user to log all the way in from the link in the email. It doesn't ask them for their username. Once they're in, they can see their username on the screen. Can/ should we require their username from them? The current system would open the site to someone who had previously compromised the new user's email. We can send them the username separately, via encrypted email.

[tobes]

Testing locally the add new user link does not log the user in so there is no username. I tried to testing on the live system but it doesn't like my email alias.

Can you check again and provide greater detail of the process

[ratkins5]

I've gone back in on this and realised it's a false alarm. I hadn't logged ratkins out when I was login the new user in. Deleting issue; sorry.