What is the purpose of "User can change username"? In testing this, I see that the DNN value gets written back, anyhow. I thought there might be some security process for handling this  (a confirming email sent to the user's email address) but it doesn't really appear to do anything if this field is tied to the DNN core value. Am I missing something?

Come to think of it, the idea of allowing a user to change their email address also has problems without some verification process. Suggestions?

Yes there is no processes right now for 're-verifying' a users email address if they change it but it something we can look into for future releases. You could always set this field to be read-only and not allow the user to change it?

First, if you are signed in as host you will always have the ability to change your username but if you are signed in as a standard user the username field will either be read-only or the user would have the option to change it.