EmailAuth

EmailAuth is a MediaWiki extension that can require users to input a verification code sent to their email address in certain circumstances.

mw:Help:Extension:EmailAuth describes what this looks like from the user side.

EmailAuth has a secondary authentication provider on auth.wikimedia.org. It runs a hook, EmailAuthRequireToken, passing in a $verificationRequired variable.

The EmailAuthHooks class in WikimediaEvents (for lack of a better place) implements the business logic for deciding whether $verificationRequired should be set to true. It makes a decision based on information from several other extensions about how secure or important the user account is and how suspicious the circumstances of the login are.

Deployment is controlled with the wgWikimediaEventsEmailAuthEnforce flag in InitialiseSettings.php; when set to false, it logs whether it would take action but doesn't otherwise do anything.

Both web and API login requests are affected by EmailAuth.

Logstash dashboard: https://logstash.wikimedia.org/app/dashboards#/view/4d894cd0-1005-11f0-941d-7184edf05188