Joomla has a built-in function on its login screen ‘I’ve forgotten my user name’, so that you can type in your email address and the username is sent to you via email.
I was thinking of changing it so that the username was displayed on screen immediately, without any form of authentication. This would greatly reduce the friction for our users who are returning after a long while, but it would allow anyone to type in any email address and see the associated username (definitely not the other way around though).
Does this create any security risks? Is it a good idea at all?
I would say it is a slight security risk for your less savvy users. For a user with a weak password, particularly if it is related to their username or e-mail address, exposing their user name leaves them open to having their account hijacked. Other than that, I can’t think of a reason it would be a problem. If the user has good passwords, it shouldn’t matter at all.
I guess there is a slight anonymity concern. On a forum for example, I wouldn’t want someone who ‘knows’ me to find out my username without me telling them. In this case they could take my e-mail and get it. But whether that is an issue depends on your site and your user base.