Hopefully this is not a public username, as that would mean people’s email address is made public. If it’s just for logging in, of course, forget about “username” and just ask for what it is, an email address.
The “username or email address” is for when you have both and either is acceptable for logging in.
Make sure your UI is consistent with the words it uses.
Macy-Lynn has excellent advice: tell users when registering that their email is their username, in case you have text somewhere stating “username” (which, you should try to avoid).
GMail has this and it’s a bit unfortunate. The UI is not consistent:
If I go to Gmail.com I’m expected to fill in my entire email address and password, which makes sense. However sometimes I am at work and the network redirects me to specifically mycompanyname.gmail.com. On this page, if I try to fill in an email address I get an error about using @ symbols: they only want the “username” (first part of my email address) and password.
Don’t do this. Be consistent. Linkedin.com always asks for an email address, for example. It keeps things simple by never mentioning “usernames”.
This is the plan/scheme. Unless you see security holes with it.
As Ralph said, many people will be dumb enough to use a regular email address to register with you. This means they’re typing in a live email address to log in later. Bad. The smart people will take the time to go make a throw-away email address, so that if you get compromised, or their session, or whatever, their actual used emailadress is not involved.
I was stupid and gave LinkedIn my real email address. It gets a lot of fake LinkedIn spam now. LinkedIn has been compromised at least twice now (passwords stolen). I assume my email address has been taken from there and fed to more spam houses. You’d better have better security than LinkedIn.
Well, stuff like wherever you store these things, keep in inaccessible directly via the web (different folder if it’s a file, so not in the /var/www for instance), don’t save as plaintext, set conditions on your db (like your db user has limited access and is maybe the sole superuser etc).
I assume this is basic stuff but have no direct experience with it. But there’s a Web Security section here on the forums with people who know this stuff.