It's only useless if the website reveals the username elsewhere, but that doesn't have to be the case.
Consider the case when the primary usernames are always emails (many sites do this), and signing up for an account is simply done with entering an email and a password. Then, when someone submits a signup form, the website can:
- Check if an account with the email exists, and if it does, whether the given password matches the existing one.
- If both are valid, log the user in, optionally showing a message saying “there was already an account with these credentials so we logged you in”
- If an account with the email does not exist, or if it exists and the password doesn’t match, return a message to the user saying “please check your email and follow the validation link”. The user can’t tell if the email exists or not.
In the backend:
- If the account did exist, send an email to the user saying “someone tried to sign up for an account with your email, please let us know if it was you. and here’s a way to reset your password if you forgot it”.
- If the account did not exist, send an email verification link, which then redirects to a page to complete the user signup
Same with password resets, the success message can always say "check your email".
There are ways around revealing the username. But I agree, only doing this in the login page is useless.
If you have to validate email addresses, which I believe you do, what I suggested doesn't add any more steps so I doubt it would cost anything. To the contrary, given that the initial user signup is so simple (just an email and password), users will be much more likely to complete it compared to other signup forms that require more data. Once they are logged in and on your site, you can gamify whatever portions of the profile you need filled, that is, if you need any more data (most sites like hackernews don't).
Actually I'm wrong about hackernews, you'd need a username, but still, you can choose that after you sign up, and you shouldn't be able to log in with that username, that should only be a public handle for your account on forums, comments, etc.
Consider the case when the primary usernames are always emails (many sites do this), and signing up for an account is simply done with entering an email and a password. Then, when someone submits a signup form, the website can:
- Check if an account with the email exists, and if it does, whether the given password matches the existing one.
- If both are valid, log the user in, optionally showing a message saying “there was already an account with these credentials so we logged you in”
- If an account with the email does not exist, or if it exists and the password doesn’t match, return a message to the user saying “please check your email and follow the validation link”. The user can’t tell if the email exists or not.
In the backend:
- If the account did exist, send an email to the user saying “someone tried to sign up for an account with your email, please let us know if it was you. and here’s a way to reset your password if you forgot it”.
- If the account did not exist, send an email verification link, which then redirects to a page to complete the user signup
Same with password resets, the success message can always say "check your email".
There are ways around revealing the username. But I agree, only doing this in the login page is useless.