I haven't seen anyone address this, but it's important to note that any registrar that doesn't let you change your username/login might be a security risk (whatever can be used to login basically).
Namecheap - doesn't let you change your username. But you have to give your username away to strangers to make transfers and account pushes.
GoDaddy - doesn't let you change your customer number, but you give your customer number away to make transfers and login and it's on every receipt.
So if a bad actor gets those, they can try to engineer their way into your account. Not sure why they haven't changed this yet, I like both of those registrars but this seems like a security oversight. Hopefully they will change that.
And of course, 2 factor auth is a must.
EDIT: I should add that I'm comparing this to my recent experience with Uniregistry, which uses only your email address as a login. Presumably you can change your email address if an issue were to arise.