Login should only be allowed using email address and password, as both of these are 'hidden information'. Other users' usernames can be read on the site and thus make it much easier to target a specific user to break into their account.