A forget password form should not require your username. If you forgot your password, there's a pretty good chance you don't remember you username. Email address is good enough. How is that not secure enough? Your going to prevent many from accessing the website. If they're persistent and create another account with another email address, then you have dead accounts. I'm a web developer, and I've never understood the superfluous username requirement. I'll make sure I save my activation email this time!