GDPR requires the user to identify themselves to request data.

If a password and username is the only possible way of identification then that is enough. And if one can not provide that then tough luck it is.