it seems odd/poor design that DigitalOcean decided to use a secret value for the docker login username for use-cases where using doctl is impossible or not preferred. Other software systems that integrate with docker are generally correct to assume that the username is not sensitive information, and DigitalOcean's approach here breaks that assumption.
I've personally encountered a problem using a GoCD plugin that integrates with Docker which requires you to supply the private registry credentials, and because it correctly assumes that the username is not sensitive, the DigitalOcean API token ends up being shown in plaintext in the UI, because it has to be used as both username and password. DigitalOcean should really consider implementing another non-doctl-dependent method of authenticating with their container registry that does not pose the risk of leaking plaintext credentials.