I have checked ‘require username’ in the settings for my database connection.
The login prompt now says “username/email” and I can log in using either.
I would like to disable email login, so that users have to use their username.
Is this possible, and if so, how?
To my knowledge at this time that is not possible, you can customize the prompt text to only say login with username, but that won’t change the fact that both username and email will serve as valid identifiers to complete an authentication. Given that independently of how the end-user logins your applications can get both the username and email associates with that identity it would be interesting if you can update the question with the underlying use case that motivates the need for that restriction.
Thanks for your reply. My use case is that I am exploring possibilities for using Auth0 in my client’s banking/investment site, which already assigns users an ID, and for which my client is considering requiring client ID and password for login, as seems to be fairly standard in the banking sector. E.g. see security - Why do financial institutions use usernames instead of emails for login? - User Experience Stack Exchange
So it’s not possible to determine whether user supplied email or username in a rule?
I don’t think there is a reliable way; in some authentication flows like the resource owner password credentials grant it could be possible, but in others I don’t think so. Unless you use a custom database connection; in this case, although it would be expected that an end-user would have an email associated with it the actual credential validation is performed through custom scripts you control so after receiving the credentials you could treat an attempt to use email as an invalid authentication.