As of 20.12-sp2-225, ZIOS usernames are used verbatim in REST API but the front-end does not prevent the use of characters which are invalid in HTTP URIs nor are these characters URI-encoded before their use.
The result is that usernames with symbols like @ can be created, but break when used with the API. This affects internal API calls as well, which prevents users with these symbols from enabling 2FA/MFA.
The current solution is to simply guide customers towards using only
_ until future releases which should add support for these characters by either URI-escaping them or using the users ID.