Available from version ???
Decide whether verification via email is required for this login to succeed (and optionally modify the messaging)
Define function:
public static function onEmailAuthRequireToken( $user, &$verificationRequired, &$formMessage, &$subjectMessage, &$bodyMessage ) { ... }
Attach hook:
$wgHooks['EmailAuthRequireToken'][] = 'MyExtensionHooks::onEmailAuthRequireToken';
Called from:File(s): EmailAuth / includes/EmailAuthSecondaryAuthenticationProvider.php

For more information about attaching hooks, see Manual:Hooks .
For examples of other extensions using this hook, see Category:EmailAuthRequireToken extensions.

The hook will be called on every login that would be successful. When $verificationRequired is changed to true, an extra step is added to the login: a six-letter verification code is emailed to the user, and must be entered for the login to succeed.

The meaning of the parameters:

  • $user (User): The user trying to log in.
  • &$verificationRequired: (bool) Change this to true to enable verification.
  • &$formMessage: (Message) Message telling the user they need to do an extra verification step.
  • &$subjectMessage: (Message) subject of the email with the verification code
  • &$bodyMessage: (Message) body of the email with the verification code; last parameter must be the token and will be set later

The Message parameters have sensible defaults.

An example that will force email verification for all admins who do not use OATH:

$wgHooks['EmailAuthRequireToken'][] = function (
        $user, &$verificationRequired, &$formMessage, &$subjectMessage, &$bodyMessage
) {
    if (
        class_exists( OATHAuthUtils::class ) &&
        OATHAuthUtils::isEnabledFor( $user )
    ) {

    if ( $user->isAllowed( 'delete' ) ) {
        $verificationRequired = true;
        return false;