...
A malicious party could still alter the username, preventing which would require server-side measures(e.g. a step in the MFA Flow, or a post-login authentication flow). However, there is typically no need to worry about that since the service provider is responsible for determining the strength of the authentication required.
...