>>caust1+(OP)
Credential stuffing would be a much less effective strategy is web apps went back to string-based usernames, and not email-based ones.
Also, I hit CTRL-F on this post for the term "portable", and I got zero hits. Both passwords and SSH keys are trivially portable. Not so much with WebAuthn passkeys.
>>jgalt2+dw1
Let's please not. Password recovery flows are hard enough to get right and usually suck; adding username recovery on top of that doubles the opportunity for locking legitimate users out.