I think you might be missing the point here....
Two different scenarios here:
1. You create a ticket.
2. Ticket info gets e-mailed to you.
3. You go to the site and log in with ticket number and e-mail to check your ticket.
Your ticket number isn't hidden when entering it into the login field (your main argument why this isn't a security issue). Who's going to see it? The guy standing behind you? I assume you know he's there.
Next scenario:
1. You create a ticket.
2. Ticket number is displayed after you create the ticket.
3. You log in with ticket number and e-mail to check your ticket.
4. The guy down the street decides he wants to access your account.
5. He goes to the site, creates a new ticket witn your e-mail address.
6. The ticket number is shown to him after he creates the ticket.
7. He logs in with your e-mail and the new ticket number he has just created, and now has access to your entire ticket history.
If you can have a ticket number handed to you on a silver platter any time you want one, then ALL you need to access a client's ENTIRE ticket history is their e-mail address. Most people publish these e-mail addresses in plain site on their web sites, and even if they don't, they're not hard to guess (support@, sales@, info@, webmaster@, etc.).
There is no way that displaying ticket numbers in any format other than through e-mail is NOT a security risk.