Question username as verification tool

[9livesdragon]

Using vBSecurity, we're going to reset all passwords.
Users will be sent a mail asking them to change their passwords, using a link: /forum/login.php?do=lostpw&email=$email with $email being replaced with the users email address.
Are there places in the software (both vBulletin & vBSecurity) where the username is used as verification (in login attempts) instead of email addresses? If so, is there a list of these places & information on how to protect (or disable) these places?

Many thanks!

 

[Fillip H.]

If you refer to the ability to request or change passwords without needing to know the user's email address, then no

 

[9livesdragon]

I got this feedback from vBulletin: All logins in vBulletin are processed via username by default. Email login is not possible nor is it more secure.
So according to them, only usernames are used for login, not email addresses, right?

 

[Fillip H.]

For login itself, username is indeed always used. But that's not related to the Lost Password feature, which requires the email address in order to be processed.