Join GitHub today
The "email only" auth was done because it's easier to implement, and because it's easier for users; but I'm not so sure any more if it's such a great idea. One thing I've seen is people misspelling their email address in signup form ("email@example.com") several times, meaning they'll immediately get locked out of their accounts with no real recourse for recovery other than emailing me. Not great.
Some other services like Medium also do email logins like this, so look at how they solved these kind of problems. OR maybe just use classic/standard password-auth?