OpenID and OAuth .....It just appears better. Even less users to manage for them and it makes migrating in one place easier on a change.
Yes, you have to be careful. I would insist that the backup email address (an additional profile field) is different than the email address they are using for the user. Many systems also have some other fields that then can use to authenticate themselves if things get really hairy. At this point though, it would frequently require a tech support call.
Depending on the type of system, using email may be a security vulnerability. I know your email address, I don't know what you might put into a username prompt. If being able to easily guess a username is an issue, then I would not use email address.
